Physical Security & The Cloud

Martin Grigg
Martin Grigg of 323 Consulting and Former Chairman of the DCA Site Access Control & Security Group discusses how a breach of physical security resulting in a loss of data could bring a major cloud provider to its knees. He proposes that proportionate physical security may mean a complicated web of integration. 
Anybody that can get physical access to a cloud server can get access to the data that is on it. This means that data security is not just about firewalls and encryption – it’s about physical protection as well. There are numerous standards and guidance documents available to steer owners and operators in the right direction for physical security but this wealth of information leaves many people scratching their heads. New European Standard CENELEC EN 50600 contains much useful information such as risk assessment and protection classes but what are proportionate security measures? How do we define ‘proportionate’? What are the real risks? 
Security deployment must be proportional to risk, which is why the very first thing needed is to understand the threats and vulnerabilities that your Data Centre faces. A threat, vulnerability and risk assessment (TVRA) will assess all of these aspects and quantify the risks so that proportionate mitigation measures can be put in place. However, for the purposes of discussion, let’s assume that we are talking about a Data Centre (DC) that hosts a major cloud provider. That DC will have many facets that a TVRA will explore but the headline risk to the cloud provider is data compromise and reputational damage. This risk is prompting some global DC providers to go beyond access control and CCTV as far as installing body scanners for staff and visitors. The providers worry is an insider attack, so they are deploying technology to detect contraband, storage devices and other tools to try and counter the threat. 

According to research carried out by Forrester (Understand the State of Data Security and Privacy: 2015 to 2016) the top three most common security breaches were: 
  • Internal incident at 39% 
  • External attack at 27% 
  • External attack using third party suppliers at 22%

There is a lot of similar data that suggests the same – the problem of physical attack and the insider threat is very real. 

In order to determine what measures are ‘proportionate’, one has to measure the cost of implementation against the likely exposure. Assuming that a data breach could significantly damage your business then in proportionate terms, an investment in physical security seems an excellent business decision – especially if your business is a recognised global enterprise. 

I have seen a lot of good advice for security for a Data Centre, such as having good signage, locking gates, intruder detection and CCTV. But without a unifying strategy, they are not as effective as you might think. Without proper planning and integration of systems, you will not be getting the best from your investment. For example, without an integrated CCTV and detection system, your cameras will only provide a video of the crime after the event. Although this may have forensic value, I would rather see live images used as video verification of the event and a guard responding effectively to shut down the breach before it becomes an issue. 

A simple layered approach to security will make it hard for an external attacker to breach your defences but it takes more than this to counter the insider threat. Integration can combine different elements of a security scheme in such a way that they support each other to produce a stronger and more effective solution as a whole. The benefits of such integration can be summed up by the phrase that was first coined by Aristotle. He said “the whole is greater than the sum of its parts”. In other words integration done in the right way produces synergy. 

Integration also produces defence in depth, which is where defensive lines of a system support each other and create uncertainty for an assailant. Defence in depth goes beyond a simple layered approach and reaches out as far as the local community, contractor vetting, robust procedures and a good security culture. At this stage it becomes not only difficult for an insider to cause a problem, but also reduces the likelihood that they will get away with it, making the deterrence far stronger. 

By talking about the benefits of integration and defence in depth, it can be seen that physical security is an essential but complex subject and that paying lip service to it is not going to protect your business. This is the reason that the DCA has a Steering Committee with an aim to produce a ‘positioning statement’ on Data Centre security. It pulls expertise and experience from members to not just produce another guidance document but to shine a light on good practice and available information. EN 50600, which has a section dedicated to Security, is an excellent document and good news for the industry. Hopefully it will standardise the approach. Even though this document contains a lot of good information, I feel that it still does not go far enough to help owners and operators prevent a major data breach, which could potentially bring a large corporate – including any Cloud Provider –  to its knees. 
Created with