The management plane controls the entire infrastructure. Parts of it will be exposed to customers independent of network location, so it is a prime resource to protect. Its graphical user interface, command line interface (if any), and API need to have stringent and role-based access control. In addition, logging of all relevant actions in a…
Month: September 2021
Secure Installation and Configuration of Virtualized Cloud Datacenters
Secure configuration of the virtualization management toolset is one of the most important steps when building a cloud environment. A compromise of the management tools may allow an attacker unlimited access to the virtual machine, the host, and the enterprise network. Therefore, the management tools must be securely installed and configured and adequately monitored. NOTE:…
Cloud Datacenter: Hardware-specific Security Configuration Requirements
The data center should have hardware and virtualization protections at the component level. Virtual private cloud (VPC) protection is a fundamental protection in public cloud consumption as well as a key attribute of security groups. Hardware-based tools that include Trusted Platform Modules also feature in the suite of logical and physical data center security. Best…
Countermeasure Strategies: Cyber Kill Chain
In the world of cybersecurity nefarious acts are often caught after the exploitation of systems has occurred. Depending on the gravity of the exploitation, it can lead to thorough investigations that may be operational (within an organization), criminal, and tort (recovery of financial damages). The findings of the investigation can lead to an assessment that…
Countermeasure Strategies: Zero Trust Model
Before an organization selects specific technology and service solutions, they first need to contemplate a complete enumeration of imperative or critical business functions/services and what threats exist to resiliency of those functions/services. The adoption of a strategy to combat those threats may not mean selecting a specific tool but rather may mean adopting a selected…
Risks Related to the Cloud Environment: Vulnerabilities, Threats, and Attacks
Knowing the top threats to cloud computing, allows an organization to reduce attack surfaces by selecting appropriate countermeasures. Strategies like a Zero Trust architecture and imagining the cyber “kill chain” before an incident occurs can lead to successful protection. As the commoditization of cloud services increases, so does the attention and capability of criminal enterprises…
Data Center Design: Fire Prevention & HVAC
ISO/IEC TS 22237-6:2018 addresses security systems and uses the term fire-stopping in reference to fire prevention. The list guidance that follows can be utilized in construction or verifying controls in existing structures. Fire-stopping techniques applied to pathways that penetrate the boundary of a fire compartment shall be specified in terms of: the fire rating, construction…
Uptime Institute’s “Data Center Site Infrastructure Tier Standard: Topology”
The Uptime Institute is an unbiased international advisory organization and a leader in data center design and management. The institute’s “Data Center Site Infrastructure Tier Standard: Topology” document provides the baseline that many enterprises use to rate their data center designs. The document describes a four-tiered architecture for data center design, with each tier including…
Secure Cloud Data Center Design – Part 3
Physical and Environmental Protection ISO/IEC TS 22237-2 Protection and Availability Classes ISO/IEC TS 22237-2 lists multiple layers of security referred to as classes. Each class has a guidance profile that specifies the proper controls that should exist at each layer. Outer layers have less stringent control guidance than inner layers. The two topics of control…
Secure Cloud Data Center Design – Part 2
Physical Environment ISO/IEC TS 22237-1:2018: Information technology — Data center facilities and infrastructures enumerates availability and protection classes that define different levels of recommended environment restrictions, automated support systems, and design criteria for data centers. The ISO/IEC 22237 seven-part series is comprised of: ISO/IEC TS 22237-1:2018 Information technology — Data center facilities and infrastructures outlines…