What are meet-me rooms?
A meet-me room (MMR) is the area in a co-located data centre where communications service providers (CSPs) like telecoms companies physically connect one another’s data servers and exchange traffic. This happens each time mobile phone operators transfer calls/messages between different networks, for example.
Data centre operators should strictly limit the access to an MMR and you are therefore unlikely to be able to view security arrangements for yourself. It is important however that MMR security details and assurances be provided by data centres during tendering under an NDA.
Remember:
This guidance also applies to points of presence (PoP) and internet exchange points.
8 key considerations
Given the higher level of risk MMRs introduce, here are 8 key considerations to discuss with your data centre operators:
- Access control - Are CSPs, their contractors and data centre operator contractors escorted? Are passes worn and authorised access lists kept and reconciled with permit-to-work logs? How is work conducted within the MMR verified to ensure it matches any work-orders?
- Screening processes - The criteria the data centre operator uses for approving or rejecting MMR access.
- Intrusion detection, including CCTV - Are these monitored live by the data centre operators or is the responsibility that of the tenants themselves?
- Entry and exit searches - Are items such as mobile phones or other personal electronic devices prohibited or subject to a movement management policy? Are staff searched on entry and exit? Is equipment taken into the MMR consistent with the stated purpose of their entry?
- Types of rack - What assurances can you give regarding the security of racks you use?
- Rack locking - How does the data centre ensure that racks are always locked? Are the racks regularly inspected by the data centre provider? Are they vulnerable to master keys kept by your data centre?
- Anonymisation - Are racks sufficiently anonymised to prevent those with hostile intent from being able to identify where data is sent?
- Asset destruction - Is there a secure asset destruction process? Is it regularly audited to complement the searches conducted on exit? Does it help to reduce numerous risks including accidental loss, espionage, insider attack and theft?