Archive

Cloud physical security considerations

Share this post:

Abstract

Physical security is basic in many areas, and it’s no different in the IT security area. The physical locations where IBM cloud offerings reside must be compliant to IBM physical security policies. Existing and new natural and human originated threats, such as large magnitude earthquakes, hurricanes, tsunamis, radioactive radiation, sun flare outbursts, and terrorism need a repeated risk re-evaluation. This is especially valid when data centers built in the 1960s or 1970s are concerned. Cloud offerings distributed and mirrored over many physical sites can offer a higher degree of IT security to some of our commercial customers, for example in the banking and finance sector, without the need for huge financial investments.

Firewall red; cloud white

In the 1990s, when IT environments got more interconnected, security topics became more and more important. Customers started to outsource IT services to external service providers and concentrate on their core businesses. Physical security was a topic at that time also. The desire of customers to see physical implementations and “visible solutions” sometimes created strange “flowers.” An extreme example might be that a company, providing firewall software and solutions, bought simple PCs, installed their firewall software on top of the OS, and finally painted those boxes in an aggressive red. Now, the buyer of the “firewall” was able to place the red box somewhere in their IT environment and present it proudly to anybody asking about IT security in that company.

The desire to see and touch things even if they are called “cloud solutions” is still there, and the word “cloud” still does not mean that it is “in the air.” We still have the cabling, the CPUs, the hypervisors, storage, and all the other physical components to make the cloud fly. Even if we do not paint all of those physical items in cloud white – instead of firewall red – we will need to seriously consider physical security.

Physical security not only in a cloud

Physical security is managed by one or several processes, which include:

  • Area security definition
  • Controlled access to those areas
  • Uninterrupted power supplies
  • Monitoring critical parameters
  • Alarms
  • Air and particle filtering
  • Fire protection
  • Others, such as proper risk and issue management

Those processes are not specific to cloud offerings. A data center might host both traditional IT environments and cloud solutions in the same area.

New physical threats and cloud

Natural and human threats of high magnitude such as the Kobe and Fukushima earthquakes, Hurricane Katrina, Chernobyl and Fukushima atomic plant meltdowns, terrorist attacks, and others, have to be addressed in physical processes and considerations. Some data centers built in the 1970s and 1980s of the last century might be deficient to address new, or so far unknown, magnitude physical threats. Investments in physical security will have a significant impact on costs a company normally would like to avoid. Some companies will simply analyze the risks, that is, analyze the probability and impact. Afterwards, they may acknowledge and accept them, instead of spending millions of dollars to improve physical security. Some minor physical shortcomings might be addressed as issues. Physical risks can hardly be mitigated to zero, but if the probability or impact is regarded as low or very low, the remaining risk can be accepted without processing any further action.

Other companies would like to see the most innovative technology – the “cloud” – in a state-of-the-art data center, or better two: New constructed data centers each physically separated dozen of miles away, but still connected through glass fibre network, and backing up each other for the most business-critical applications and data, with their independent power supplies and server cooling mechanisms. The solution I have outlined is interesting for private cloud implementations of large financial sector and insurance companies. Here, the cloud becomes very real and physical for some of our customers.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, 16.0.0.4. It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading