Cloud physical security considerations

Abstract

Physical security is basic in many areas, and it’s no different in the IT security area. The physical locations where IBM cloud offerings reside must be compliant to IBM physical security policies. Existing and new natural and human originated threats, such as large magnitude earthquakes, hurricanes, tsunamis, radioactive radiation, sun flare outbursts, and terrorism need a repeated risk re-evaluation. This is especially valid when data centers built in the 1960s or 1970s are concerned. Cloud offerings distributed and mirrored over many physical sites can offer a higher degree of IT security to some of our commercial customers, for example in the banking and finance sector, without the need for huge financial investments.

Firewall red; cloud white

In the 1990s, when IT environments got more interconnected, security topics became more and more important. Customers started to outsource IT services to external service providers and concentrate on their core businesses. Physical security was a topic at that time also. The desire of customers to see physical implementations and “visible solutions” sometimes created strange “flowers.” An extreme example might be that a company, providing firewall software and solutions, bought simple PCs, installed their firewall software on top of the OS, and finally painted those boxes in an aggressive red. Now, the buyer of the “firewall” was able to place the red box somewhere in their IT environment and present it proudly to anybody asking about IT security in that company.

The desire to see and touch things even if they are called “cloud solutions” is still there, and the word “cloud” still does not mean that it is “in the air.” We still have the cabling, the CPUs, the hypervisors, storage, and all the other physical components to make the cloud fly. Even if we do not paint all of those physical items in cloud white – instead of firewall red – we will need to seriously consider physical security.

Physical security not only in a cloud

Physical security is managed by one or several processes, which include:

• Area security definition
• Controlled access to those areas
• Uninterrupted power supplies
• Monitoring critical parameters
• Alarms
• Air and particle filtering
• Fire protection
• Others, such as proper risk and issue management

Those processes are not specific to cloud offerings. A data center might host both traditional IT environments and cloud solutions in the same area.

New physical threats and cloud

Natural and human threats of high magnitude such as the Kobe and Fukushima earthquakes, Hurricane Katrina, Chernobyl and Fukushima atomic plant meltdowns, terrorist attacks, and others, have to be addressed in physical processes and considerations. Some data centers built in the 1970s and 1980s of the last century might be deficient to address new, or so far unknown, magnitude physical threats. Investments in physical security will have a significant impact on costs a company normally would like to avoid. Some companies will simply analyze the risks, that is, analyze the probability and impact. Afterwards, they may acknowledge and accept them, instead of spending millions of dollars to improve physical security. Some minor physical shortcomings might be addressed as issues. Physical risks can hardly be mitigated to zero, but if the probability or impact is regarded as low or very low, the remaining risk can be accepted without processing any further action.

Other companies would like to see the most innovative technology – the “cloud” – in a state-of-the-art data center, or better two: New constructed data centers each physically separated dozen of miles away, but still connected through glass fibre network, and backing up each other for the most business-critical applications and data, with their independent power supplies and server cooling mechanisms. The solution I have outlined is interesting for private cloud implementations of large financial sector and insurance companies. Here, the cloud becomes very real and physical for some of our customers.