Welcome to the first of a four-part series from Huddle covering topics related to cloud security! This series will help demystify the terminology, acronyms (and accreditation) in order to provide greater clarity on the concepts associated with cloud computing. This series is more of a cloud-computing field guide for time-strapped senior IT executives who need to understand cloud security but may not have the resources for a full course.
Cloud security can be generally broken down into four layers, all of which should work in tandem as part of a comprehensive security strategy: physical security, network security, application security and operational security.
So, without further ado, our first topic: physical security.
We tend to take for granted the hundreds of web-based services that we use every day, delivered out of the abstract location we call the Internet. So it’s easy to forget that those applications aren’t really in the cloud, but physically stored somewhere: on physical servers mounted in racks, in massive datacentres somewhere in the world. Therefore, securing these physical assets is the first step to assuring the overall security of a service.
Physical security starts with where the datacentre is located. Areas that are more likely to have the datacentre compromised by natural disasters (e.g., hurricanes, earthquakes, floods, tornadoes, etc.) and manmade factors (e.g., political instability, nuclear zone, etc.) should be avoided if possible. However, it’s important to balance the security granted by isolation and stability with easy access to a datacentre’s three top resources: electricity, water and network bandwidth.
For instance, ultra-secure Tier 4 datacentres may be best located in a desert situated near a hydroelectric dam, whereas Tier 1 or Tier 2 datacentres are often found right in the heart of
a city in order to ensure fastest possible response times. The vast majority of datacentres are found in metro/suburban locations in plain looking buildings.
Once you’ve found a physical location for the datacentre that is relatively safeguarded from Mother Nature, you’ll want to begin considering ways to protect it from people who might do harm. Walls, fences, CCTV, guards and alarm systems are a good start and now, many datacentres have gone on to introduce smartcard and biometric systems to further verify access within the datacentre, weight sensors to stop theft and other advanced internal systems to detect unlawful entry.
But wait. There’s more! Having just one datacentre is risky: if any disaster takes it out, you’ve lost all your data. Many companies feel safer in the knowledge that if some goes really wrong there is another datacentre on standby to take over. This means you need a datacentre close enough to replicate your data in real-time (or as close to real-time as possible) but far enough away that it won’t be subject to the same disaster (earthquake, terrorist attack etc.) as your primary datacentre. The general rule is that the more datacentre replication sites that you have, the less it matters where they’re located because as the number of sites goes up, the chances of a disaster event that causes downtime across all of the sites goes down.
It’s also worth knowing your physical security vocabulary, specifically datacentre security tiers. Their are four datacentre security tiers, numbered 1-4. The lowest of the datacentre security tiers, Tier 1, provides no resiliency. Tier 2 and Tier 3 provide a little more by way of redundant power and IT systems. The top of the datacentre security tiers, Tier 4, has full resiliency across all systems.
Huddle’s content management and collaboration platform is powered through Rackspace, a leading provider of hosted datacentres, offering complete cloud security. Huddle’s primary datacentre is situated in a relatively innocuous geographic location in the UK that gives us the best access to available resources and bandwidth while a secondary datacentre is located elsewhere in the UK, providing Huddle with near real-time backup of all systems.
What are your thoughts about physical security? And be sure to join me next time to discuss operational security.