Control, Control, Control it’s the Platform!

Domain Three: Cloud Platform and Infrastructure Security (One)

Domain Three is upon us! In continuation of the CCSP series, let’s dive right in!


Physical Environment of the Cloud Service Provider

  • CSPs like Amazon, Google, and Microsoft have enormous data centers all around the world. In locations with limited public infrastructure or datacenter demand, they tend to deploy edge datacenters and CDN (content delivery network) servers.
  • CSP Datacenters require massive amounts of power in most cases have dedicated Grids
  • Downtime affects all dependent business
  • CSP datacenters require redundancy; it is an essential part of the business model
  • Must be Temperature and Humidity controlled at all times: HVACs, piping, airflow, all require constant monitoring

Google Cloud Datacenter:

Note: Remember the Power, Pipe, and Ping. Those are the three core requirements of all Datacenters

Key Elements:

  • Airflow – Sensors measure how the air moves through racks (hot\cold aisles) and to\from HVACs
  • Voltage – Sensors that monitor the levels of line voltage and absence of.
  • Power – a type of monitoring system is required to check the grids and measure power entering the facility
  • Smoke – Fire \ Gas detection Systems and emergency services notification

Note: The primary fire protection systems used within data centers typically include: wet pipe sprinklers, pre-action sprinklers, and special suppression (i.e., clean agent, inert gas, or mist)

  • Video Surveillance: Real-time monitoring of the datacenter and internal activities

Example of Data Center Monitoring Software:

Note: the Physical Infrastructure and its protections mechanisms is always the responsibility of the CSP. See the SLA

Network Functionality:

  • How are Cloud Resources assigned IP Addresses? Statically \ Dynamically. How are they managed? Scanning the network
  • Access Control: Physical Access Control | Administrative Access Control | Technical Access Control
Physical Administrative Technical
Fences, Gates, Guards, and Cameras Training, personnel accounting, DRP (Disaster recovery Plans) Encryption, Smart Cards, Authentication, SIEM
  • Sufficient Bandwidth Allocation: How traffic moves between systems and interfaces? Who are the ISPs (Internet Service Providers)?
  • Filtering: Think Allow \Deny of traffic. How is it filtered, and what controls are in place?
  • Routing: Basic 101 how does traffic move in the network? What protocols are in place?