10 Steps to Cloud Security: Step 8 — Evaluate security controls on physical infrastructure

(Originally published by author in May. 2018 in Peerlyst.com)

As we continue this series, we are going to look at the physical security of the cloud infrastructure. Physical security is important because you do not want someone to take server under his arm and walk away, after you have spent millions on securing your infrastructure.

But, to begin with, let us list down our 10 steps to cloud security as defined by Cloud Standards Customer Council.

1. Ensure effective governance, risk and compliance processes exist
2. Audit operational and business processes
3. Manage people, roles and identities
4. Ensure proper protection of data and information
5. Enforce privacy policies
6. Assess the security provisions for cloud applications
7. Ensure cloud networks and connections are secure
8. Evaluate security controls on physical infrastructure and facilities
9. Manage security terms in the cloud service agreement
10. Understand the security requirements of the exit process

Today, we are discussing step 8 — evaluating security controls on physical infrastructure and facilities.

Now, when you look from cloud customer perspective, there is not much he can do as physical infrastructure is owned and managed by cloud service provider (unless it is a private cloud residing on-premises). However, cloud customer should look into assurance and audits reports of CSP, like ISO 27001, SOC reports or CSA star certification.

For cloud service provider, physical and environmental controls are defined in every standard whether it is nist or ISO 27001 or CSA cloud control matrix. Out of all of them, let us look at some of the important controls for physical security:

1. Secured physical environment — Infrastructure and facilities should be prevented from unauthorized access. Entry to the facilities should be controlled so that only authorized persons have access to it. Even all the offices and rooms that are relevant for provisioning for cloud services should be protected.
2. Protection against external and environmental threats — Protection controls should be there against natural disasters and accidents like fire, flood, lightening, earthquakes, civil unrest etc.
3. Personnel working in secure areas — There should be detective and preventive controls to prevent malicious actions by any personnel who have access to secure areas
4. Securing supporting utilities such as electricity, gas, telecommunication and water — Availability is the top priority when providing cloud services. Therefore, adequate controls should be there to maintain redundancy of supporting utilities.
5. Equipment Security — Controls should be in place to prevent loss, theft, damage or comprise of assets
6. Securing cabling infrastructure — Controls are needed to protect power and telecommunication cables to prevent accidental or malicious damage.
7. Preventive equipment maintenance — There should be a regular maintenance activity for the equipment to prevent equipment failure.
8. Controlling removal of assets — Controls are required for removal of assets to avoid theft of valuable and sensitive assets.
9. Secure disposal and re-use of equipment — Controls are required specially for storage devices they may contain organizational data.
10. Backup, redundancy and continuity plans — CSP should have appropriate backup of data, redundancy of equipment and continuity plan for handling equipment failure situations

So, these are the top controls for physical security, however, there is one more thing which can be looked into when evaluating cloud service provider, and that is, datacenter tier on which infrastructure is hosted.

Uptime institute has defined four tiers of datacenter. Tier is a standardized methodology used to define the uptime of the datacenter. As the datacenter goes up the tier, it becomes more robust and less prone to failure.

Let’s look at those 4 tiers and what facilities it should have :

Tier 1 = Non-redundant capacity components (single uplink and servers).

Tier 2 = Tier 1 + Redundant capacity components.

Tier 3 = Tier 1 + Tier 2 + Dual-powered equipment and multiple uplinks.

Tier 4 = Tier 1 + Tier 2 + Tier 3 + all components are fully fault-tolerant including uplinks, storage, chillers, HVAC systems, servers etc. Everything is dual-powered.

So, this is all about physical aspect of cloud security. I would like to end this article with one of interesting experience in one of the recent compliance audits.

This was an audit for ISO 27001 compliance for a cloud customer. Many of you, who know about ISO 27001, there is a statement of applicability (SOA) which list all the controls applicable to the organization. Now, this client has excluded all the physical controls in the SOA because all their data and servers were residing in cloud.

It is true that you inherit physical security controls from CSP but that does not mean your local offices, desktops and other physical facilities will not come under scope when the scope of ISMS covers whole organization.

A small observation but very significant to understand shared security responsibility and the fact that you do not pass on the buck to cloud service provider when migrating to cloud.