for our PCI-DSS audit, the rational for at least -one- local source, instead of depending on pool.ntp.org, was "backhoe fade".
it was worth the $135 for an NTP source using GPS.  the cable run up the elevator shaft for the antenna works without needing OSHPD permits.

We are very happy with the result.

/Wm

On Wed, May 1, 2019 at 3:01 PM Andreas Ott <andreas@naund.org> wrote:
On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
> - Why do folks want to have one or more NTP server masters that have at
> least 1 refclock on them in a data center, instead of having their data
> center NTP server masters that only get time over the internet?

I had that discussion before with the QSA for a compliance audit, pointing
to requirement "10.4.3 Time settings are received from industry-accepted
time sources" and "verify that the time server(s) accept time updates from
specific, industry-accepted external sources (to prevent a malicious
individual from changing the clock)" in the PCI-DSS document. He
non-jokingly suggested "why don't you use pool.ntp.org?", not really
realizing how many servers are in fact just someone's PC behind a cable
modem in their home, which negated the "do I trust the time I am
receiving?". My immediate answer was "we could use NIST servers",
but the easiest way out of this is "we operate our own NTP appliance
with a GPS receiver" and provide that as evidence.

Don't get me wrong, I support pool.ntp.org by operating and contributing
servers to it, but it is not deemed good enough if you need traceability
of your NTP time source(s), even though the pool will only admit members
above a certain quality threshold.


> - What % of data center operators provide time servers in their data
> centers for their tenants (or for the general public)?

My $employer does that in our datacenters and points of presence for
our customers.

-andreas
--
Andreas Ott   K6OTT   +1.408.431.8727   andreas@naund.org