Oh?
"admins will need to separate <sensitive data type> "
"used to protect <sensitive data type>"
"and ensu[r]ing <sensitive data type> "
Is there something they are not telling us?
The world's payment card producers have released the latest guidelines to help interested businesses to protect payment data. Version 1.1 of the PCI Card Production Security Requirements (pdf) modifies and introduces features for physical and logical security advising on everything from printing PINs to guarding vaults. The …
No, quite the opposite, they will even supply you the key according to one of today's articles..
There arent many that would have one in the HSA, if they do they cant use it for any perso data and the wifi network must not have the ability to access any perso data / connect to any of the data prep or perso networks.
But I agree with your sentiment, wifi networks are bad, hence in our locations it's not allowed in or outside of the HSA..
But once it's open, people can normally slip in or out as long as the door is open. No, what they demand is that the only way the fire door can open is by closing the way behind you first so that the ONLY direction one can go through the doorway is out. Normally this evokes images of airlocks, but you can also achieve this with the cylindrical doorways sometimes associated with darkrooms (to insure no light enters as people pass through). Imagine a weight-based mechanical latch so that once engaged, the door can only be spun to the outside and stays in that position until the door is emptied, upon which it can be spun inside again from within the building.
One of the changes that are in 1.1 is moving the perso DMZ servers into the HSA. Last year we had an NC for having our DMZ servers in the HSA, which i could understand but was put in there as it was a very small location and planned to be moved out. But moving the DMZ servers in the HSA to physically secure them does not improve security, those servers should be considered exposed and likely to be compromised, no data should ever be de-crypted on them and having physical access shouldn't be able to compromise any data on them as all data should be encrypted at all times until required in the HSA.
Requiring the DMZ servers to be in the HSA in the way they state means no additional logical security, the firewall for that is in a lower security zone, as direct internet access isn't allowed in the HSA, but that means that a person with no HSA access can put internet access into the HSA by simply bypassing the firewall outside of the HSA. Because of this i can see a change in 1.2 stating that option 2 in the described firewall configs becoming the only way to do it, 2 firewalls, 1 inside and 1 outside for the DMZ, just like is required for the perso networks.
Again, this change is for the sake of change, the DMZ should be considered insecure /low security. What you can obtain there is the same you can obtain by rerouting all data going to those servers and logging it over the internet, so getting physical access does nothing for you. All data is pulled from or pushed to, Data is encrypted and signed and validated before use in the HSA. You could get user credentials but again this shouldnt, if following the rules allow anything apart from access to the lower security zone, which the HSA isnt supposed to trust anyway.