for our PCI-DSS audit, the rational for at least -one- local source, instead of depending on pool.ntp.org, was "backhoe fade". it was worth the $135 for an NTP source using GPS. the cable run up the elevator shaft for the antenna works without needing OSHPD permits.
We are very happy with the result. /Wm On Wed, May 1, 2019 at 3:01 PM Andreas Ott <andr...@naund.org> wrote: > On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote: > > - Why do folks want to have one or more NTP server masters that have at > > least 1 refclock on them in a data center, instead of having their data > > center NTP server masters that only get time over the internet? > > I had that discussion before with the QSA for a compliance audit, pointing > to requirement "10.4.3 Time settings are received from industry-accepted > time sources" and "verify that the time server(s) accept time updates from > specific, industry-accepted external sources (to prevent a malicious > individual from changing the clock)" in the PCI-DSS document. He > non-jokingly suggested "why don't you use pool.ntp.org?", not really > realizing how many servers are in fact just someone's PC behind a cable > modem in their home, which negated the "do I trust the time I am > receiving?". My immediate answer was "we could use NIST servers", > but the easiest way out of this is "we operate our own NTP appliance > with a GPS receiver" and provide that as evidence. > > Don't get me wrong, I support pool.ntp.org by operating and contributing > servers to it, but it is not deemed good enough if you need traceability > of your NTP time source(s), even though the pool will only admit members > above a certain quality threshold. > > > > - What % of data center operators provide time servers in their data > > centers for their tenants (or for the general public)? > > My $employer does that in our datacenters and points of presence for > our customers. > > -andreas > -- > Andreas Ott K6OTT +1.408.431.8727 andr...@naund.org >
