What do armed guards, earthquake-resistant building designs and privacy laws have in common? They are all different layers of cloud security controls -- implemented with the goal of protecting public, private or hybrid cloud environments from cybercriminals, natural disaster and data leaks.
When it comes to securing the cloud, it's tempting to get engrossed entirely in the technical aspects, such as encryption techniques and security architecture. But, as explained in this video by expert Adam Gordon, author of The Official (ISC)2 Guide to the CCSP CBK, Second Edition, there are several other fronts where cloud resources need to be defended.
In particular, the security of the physical environment in which the infrastructure is housed -- i.e., the data center -- needs to be considered as part of your cloud security controls, Gordon explains. And, as with many aspects of security, it's a give and take between convenience and control. For example, having a cloud data center in a large city delivers several benefits, such as easy access to services and resources that keep the cloud operating smoothly. But housing your infrastructure in a densely populated area also heightens the risk of an intruder getting into the building. On the other hand, a remote area may pose the opposite benefits and challenges.
Gordon adds that it's important to use a multilayered approach for cloud security controls, but notes that every enterprise has unique needs.
"It could just mean you walk in the front door with a card key swipe and that's it," he says. Alternatively, he adds, "I've been approached at gunpoint at secure data centers by armed guards and have been told, specifically, 'You have a certain directive for being here … and you're not going to be able to walk around in the data center unless we're here to escort you."
View the above video to learn more about the broad spectrum of cloud security controls and considerations.
CCSP® is a registered mark of (ISC)² .
The following is a full transcript of Adam Gordon's video.
Transcript - Multiple layers of cloud security controls mitigate risk
Design and plan security controls
Let's turn our attention away from the discussion of risk formally as we've been doing in the prior conversations, and instead let's veer a little bit to the left metaphorically and let's talk about designing and planning cloud security controls. Now, that we've thought through and understood some of the parameters of general physical design and the components to go into making up the cloud from the perspective of the data center and the infrastructure. And now that we've weighed and looked at and understood some of the risk associated with managing and operating the cloud broadly, it's time for us to talk about some of the control elements that could be brought to bear around security and the security elements that we can use in order this to an effective box the risk in and then to be able to manipulate and control and understand how to manage it so we can then safely consume and use cloud-base services.
So we'll take a look at cloud security controls related to physical and environmental protection, system and communication-based protection, so the idea of being able to implement physical controls, the idea of being able to implement environmental controls and protections, the ability to be able to safeguard communication and data and transit with things like encryption, virtualization system controls. So we'll be looking at things like isolation there, so being able to use VLANs but also being able to make sure that we are managing the accessibility and/or the lack of accessibility in the multitenant environment to guest data and things of that nature, management of identification, authentication, authorization, in a cloud environment, in a cloud infrastructure, and audit mechanisms considering dealing with these kinds of topics.
Physical and environmental security
So when we think about physical and environmental protections, I want to make sure we're thinking about the fact that, you know, in the environment that we're building, the data center and the buildings, the surrounding environments, and the areas around it we have to make sure that those areas are thought about and protected or at least the world were focused on there. We have to think about what we would call a situational awareness. You know, if we sight a data center in the middle of a busy urban city, in the middle of a busy urban area, and we don't have any ability to control the perimeter and the boundary of the external parts of the building with closed circuit TV, with fences, perhaps with guard dogs and patrols, then people may be able to drive right up to the edge of the building indeed drive right up to the building without our knowledge until they actually got out of the car and interacted with us.
And, you know, this may present as a security challenge for a lot of reasons. If we put that same data center in a remote location in the rural area somewhere out in the middle of a forest or up on a high mountain somewhere, we may not really have as many visitors, we may not have to worry about as many people coming to see us because they may not know we're there, but we would have other physical, another environmental concerns to be aware of.
We may have weather-related issues. We're maybe so isolated that it may be hard for people to get resources to us in order to make sure that we continue to consume services and use them within the data center effectively, things like fuel to run our generators and things of that nature. So we have to be thinking about and understand where we're placing our data centers, and as a result what kind of protection we need to bring to bear in order to make sure that our cloud security controls are sufficient.
You know, in general, we need to make sure that we are securing the network communication facilities, securing the power transmission communication facilities, securing the internet service facilities. All those things that are coming in from a vendor perspective under the ground, and cables, above the ground, and polls, things like that, those have to be secured. We have to make sure that we are monitoring the perimeter of the building. We're looking at the places where the generators are and making sure we have secure fuel storage, looking at the HVAC systems, making sure that the air intakes are clean and secure, making sure nobody can crawl in through a service conduit they may be left exposed on the outside of the building or up on the roof or, you know, wherever that may be.
If we have a loading base, a lot of these big data centers have massive loading base where we can bring 18-wheel truck or trailers in and back them up and allow them to offload directly into or onto the floor of the data center. Implementing proper cloud security controls means we have to secure those areas may be at the gate that, you know, controls access there so that way nobody can just pull up without our knowledge and maybe pry the door open and get in, you know, without us being able to be aware of the fact they're there.
Devices, software and connections
These are all things that we have to be thinking about but we also have to think about the infrastructure that's outside the data center as well as just the physicality of it. What about the computers as you can see on the screen in front of you, endpoints such as PCs, laptops, mobile devices, handhelds? All of those have to be secured as well because, in effect, they are handling the border or the gateway management or indeed the access points for the data that sits inside the data center and that may be held literally in the palm of someone's hand.
If somebody has access to a server, a guest operating system on a VM running inside a secure data center, the data center itself is very locked down, it's very hard to get into, we would say almost impossible without the rights to be there but somebody logically can walk right through the perimeter controls and logically gain access to that on a server and we don't protect that endpoint it's being used to do so.
We effectively have lost the identity access management and access control battle even though we've poured a huge amount of infrastructure resources, time, and money into physical protections. The ability to be able to come in literally through an unprotected or unwatched remote endpoint has been left as a security violation and liability in response to a risk and we haven't documented it properly. And as a result, information is probably exfiltrating from our systems as we speak. This is an issue. This is something that we have to be thinking of in the context of cloud security controls.
So it's not just the boundary and the border and the perimeter of the actual building. It's not the elemental defense mechanisms and the defense boundary that's pushed out beyond the building. It's the access that is logically carried with most of us today on our endpoint devices that also has to be considered both by the security professional as well as by the customer and the provider, that the provider may allow or really have no say in allowing remote access into the data center if the customer decides that's how they want to be able to consume their services, and indeed that's how the cloud is built.
The cloud is really built to be remotely accessed. You can't really access it in-person on demand physically. So it is a remote access platform and as a result, we're going to have to allow endpoints to connect to data and consume it remotely. The question is not really if we allow them, but rather under what circumstances will we allow them, under what conditions, and as a result what security mechanisms will we use to safeguard access to that data. That's really what we have to be thinking about and focus on in this area.
So some regulations we may need to be aware of, this may affect your cloud security controls depending on where you live and work, they may not. If you're not a North American vendor with responsibility and utility and power generation sector, then NERC CIP Standard probably are not all that exciting for you, because if you're not in the utility industry you really don't care about what the North American Electric Reliability Corporation Critical Infrastructure Protection Standards are because you're not going to use them for anything.
In other words, retail manufacturers could care less with NERC CIP sense is my point, but if you are a retail manufacturer PCI DSS or retail and/or manufacture of retail goods that are sold in retail channel PCI DSS, the Payment Card Industry Data Security Standards, are going to be of great importance to you because regardless of where you do business in the world, although the PCI DSS solution is voluntary regime it is not a legal framework that people must comply with, it is voluntary for businesses to do so.
It is seen as having almost the weight of a statutory law because almost every industry complies because the reality is, although it's voluntary, if you don't comply with the standards, credit card companies will refuse to take your business and may refuse to allow you to use their credit card payment gateways to transact your business. It becomes very difficult, in other words, for you to do business outside of the framework even though it's voluntary.
And so my point is the standards may apply fairly consistently across many areas of the world today even though they may not necessarily be the enforceable standards that a law will have or being with them because they are not enshrined in law. HIPAA, the Healthcare Insurance Portability and Accountability Act, in North America is obviously very important for North American citizens, people that live and work and do business in North America from a healthcare perspective, the ability to manage healthcare data, personally identifiable information pie and related to that specifically the healthcare portion of that data is now enshrined in law and has been for many years in North America.
While Europe has similar laws around privacy and data protection of the individual, there are many areas of the world that don't necessarily of to this degree and don't have these laws on the books with regards to management of this data.
So as a result of that, this law may or may not play into the specifics of how you're going to manage and understand how to interact with data security but anywhere you live and do work. The point is that you want to make sure you understand that while this is a sampling of key regulations, it is not an exhaustive list by any means. There are many regulations not on the screen in front of you that are equally important. There are many regulations not on the screen in front of you that would be applicable to have as part of a broad and very, very all-encompassing conversation around regulations and compliance with regards to security, cloud security controls, and risk.
This is a mere sampling just to get you focused on the idea that there are going to be specific regulations, specific requirements and broad applicability of some narrow applicability of others that we, as cloud security professionals, will overcome, interact with, and indeed have to interact with and understand on a regular and consistent basis. So when you look ahead to some of these regulations, look at what they are, become familiar with them, you may see ones that are very different in you're part of the world that in your geography than the ones that are on the list here.
Privacy laws are going to vary by country. Privacy laws are going to vary by geography and by region. The privacy and the information protection directive in the European Union, for instance, is broadly applicable inside of the European Union member countries but is not applicable to countries that are outside of the European Union, unless they have some negotiated requirements and/or responsibilities such as the safe harbor provisions that North American companies do business under with regards to that directive.
Switzerland, for instance, is not a member of the EU directly but a member of EFTA, which is the trade association for other European countries and entities that are not necessarily a member of the EU but are associated from a compact of trade and regulatory requirements associated with it. Europe itself, in other words, has formed several different blocks and associations with regards to things like privacy and trade law. The European Union is the most well-known and has a pretty robust and standardized set of solutions and directives around data privacy.
EFTA has a separate set of agreements around trade. Primarily, Switzerland is not a member of the EU but it is a member of EFTA. As a result of that, Switzerland doesn't necessarily abide by the European Union directive although it does align with EFTA's requirements around privacy in regards to trade, the management of information, which are aligned for the most part with the EU directives. So indirectly it does, even though it doesn't directly subscribe because it's not a member of the EU. There are very unique circumstances that may occur by country or by geography around the world with regards to certain things.
What we need to be aware of as security professionals is the intricacy and the subtlety of the discussion we need to have and the knowledge of where we need to go to find that information of appropriate is really what a discussion like this helps us to focus on and helps us to remind ourselves of, especially as it relates to cloud security controls. It also helps us to focus the customer and the provider on the relation, understanding the due care and due diligence responsibilities with regards to this discussion.
Cloud security controls in the data center
So some examples of cloud security controls that you may or may not come across at some point, these are just statements of the kinds of controls that may exist, and you can take a moment and read some of them on the screen in front of you, I'll just take a look at the bottom one just to give you a sample. Physical security perimeters shall be implemented to safeguard sensitive data and information systems. This is one example of a control that would be very valuable in certain circumstances. There are many others that we could apply.
Again, not an exhaustive lists just merely a list of samples of cloud security controls that may be appropriate in certain situations. As a security professional, we would have to think about the kinds of controls that we would want to be able to apply, what the impact of those controls are, and as a result of that, which ones are the most appropriate to deploy in any given situation under any circumstances or set of circumstances we may find ourselves in.
When we think about the data center and data center facilities, I want to think about we or we want to think about or we want to be making sure we're thinking about the fact that they typically are required to have multiple layers of access control. You have worked in many data centers around the world. I have clients and customers that host in various different secure levels of data centers anywhere from tier one all the way up to tier two, three, and four in terms of the Uptime Institute architecture and technology controls and the topology for the design and the standardization of data center tiering is what I'm referring to. In other words, the design parameters that the Uptime Institute uses to rank and to rate data centers.
There are four tiers: tier one, tier two, tier three, and tier four. The idea here is I've worked in with and in most data centers with customers across the hosting spectrum, and as you go up the range from tier one to tier two, tier three to tier four, the security, as well as the redundancy of reliability of the data centers, increased. In very highly secured data centers, we have multiple layers of access controls where you have to check in typically with a guard in a secured lobby. You may not even be buzzed into the lobby until you go through some additional access control measures outside.
There's probably a camera that is looking at you as you approach the building. You may have to walk through a secure portal of some kind like a mantrap where you're going to come in. The door will lock behind you so you cannot get out. You may be subject to some questioning or some quick introspection and scanning. You may then be passed into the secure lobby. The secure lobby is going to be a gated off area, usually bulletproof glass, and no windows or access towards except for the one door you came in from and the one door, the one area or access control mechanism like a mantrap or something like that that will then allow you access into the interior of the data center. You'll have to deal with a guard behind a gate or behind a closed or in-closed area.
You have to probably pass credentials through, explain the reason for being there, most likely sign a log. You may have to go through some sort of biometric security mechanism, a fingerprint scan, a voice scan, a retina scan, depending on what it is. You then will be given access, you may have to walk in through an additional mantrap, and there will probably be a pressure plate in that mantrap that weighs you in whatever equipment and infrastructure you bring in so we know roughly approximately how much you weigh going in and out at any given time. And all of a sudden, if you attempt to bring in additional information or things, you know, smuggling in infrastructure, whatever it is, tools, anything like that that maybe use to facilitate a break in or facilitate some sort of, you know, bad faith action inside, we will know that and we will then block you from accessing and gaining entry.
You may walk through a metal detector. You may walk through a degaussing service -- part of that process where we wipe any and all magnetic medium that you may have on your person. We may scan you before you walk in with a full body scan. I've seen all sorts of things. Go on with secure data centers. I've been approached at gunpoint at secure data centers by armed guards that have been told to specifically you have a certain directive for being here, you're going to be scanned, we're going to search you whatever you're going to do, you're going to leave your cell phone, and all other recording material and you cannot take pictures with and things like that over here, and you're not going to be able to walk around in the data center unless we're here to escort you. You're going to come in and do what you need to do, you're going to be under armed guard, watched, until you leave, you know there's different levels of security in these data centers it depends on what the data center hosts and it depends on what the data center is designed to do.
So think about the fact that multiple levels of access control multiple layers can mean many things in the context of cloud security controls. It could just mean you walk in the front door with a card key swipe and that's it, you're in if you have a card. It could mean a lot more than that, it really just depends. Facility levels obviously, anything and everything inside the facility should be made redundant so depending on architecture tier again, power supplies, multivendor pathway connectivity, you both have multiple backup generators, all sorts of different things would be appropriate here. Computer for or the space within the data center with computers in the data center stack in terms of the infrastructure is located, so, you know, you're rack space, things like that. There should be redundant power supply and there should be network cabling and racks and all that should all be redundant, if possible.
Controls on stuff including extents of background checks and screening. We should know who is in the data center, who's operating there. And as a result of that, we should understand that those people are trusted at a certain level. They're trusted to be in there with not just our infrastructure and our data but any customer's infrastructure and any customers data that may host in the data center. This is important to think about because if we're trusting you in there with lots and lots of customers' data, then we have to understand that you have to be background checked and certified as being trustworthy.
I've worked with customers that work in and have hosting in highly secured data centers, government and military costumers, they are buying and taking off whole chunks of data centers, walling them off with additional security controls to prevent access from within the data center itself because you need additional secure access to get into the area where those racks are hosted, and the people that are used in those data centers that are going to be effectively able to administer infrastructure are going to be very tightly scrutinized and very tightly controlled from a background perspective because they have to pass additional security checks and additional requirements to work with those kinds of infrastructure.
When it comes to cloud security controls, we need training and security awareness and it's a responsibility...or incidence response capability rather. We need to make sure that if something happens we know that the people that are there know how to respond, do they call 911 or the equivalent of life safety and fire protection, police protection in your country, in your area. Do they call them first? Do they call the owner of the data center? Does the data center have a protocol and a set of procedures to respond to an incident? Do they call in the owner of the data? There are all these different things that may or may not happen. The point is there has to be a process, a procedure, and training, and reinforcement of that in order for the administration staff to know what to do.