"I am requesting your approval in principle to visit the company’s cloud facility in Europe," I said to the company’s CEO a few months after I began working there as a physical security consultant.
"Why would you need to travel there? We already have plenty of work to do here, especially after the risk survey you placed on the management's table. Besides, it's the last place I would be concerned about. We're talking about the cloud of one of the top three companies in the world in this field—a cloud that stores the data of the largest information companies globally. I have no doubt that the place is exceptionally secure. Also, the IT staff responsible for the cloud always return from work visits there full of admiration for the lengthy entry process they undergo and for how well-secured the facility is."
Allow me to take you back a few weeks, to the day when I received a phone call from the company’s Chief Information Security Officer (CISO), who asked for my help with the physical security of a major project the company was launching. We scheduled a meeting at the company’s office, where I was introduced to the project, which was defined as a key asset for the company due to its significant cost.
Me: "Has the company ever had a security officer or a physical security manager?"
CISO: "No. The issue is managed by the IT department and handled in the most basic way."
Me: "What does that include?"
CISO: "They installed a camera system and an access control system at the headquarters."
Me: "And what are the company’s main assets?"
CISO: "Honestly, man, I don’t really know. I assume it’s the product we manufacture and sell, maybe the server rooms, and any project we’re working on."
Me: "So why did you suddenly bring me in for this project?"
CISO: "Because it’s our flagship project, and it's expected to revolutionize the company’s profits—something that will be a game-changer against our competitors."
The project was indeed large and central, and I certainly defined it as the company’s key asset without a doubt. I got to know the company inside and out—its business goals, work processes, clients, history, employees, and plans for the future. The project itself took over a year to plan and execute physically, and fortunately, I received full support from management for all my financial and staffing requirements, of course, after presenting a comprehensive and detailed security plan to the management that also included costs.
Meanwhile, without a direct request from the CISO, I conducted a risk survey of the company. First, I defined the primary and secondary assets, then conducted an intelligence study on the company’s potential adversary. From there, I moved on to defining the threats to the company, and I discovered significant gaps—or rather, I discovered that there was no real counteraction to the physical threat, namely physical access to the company’s assets, leading to their destruction, theft, or disruption.
Based on the intelligence I gathered from the internet and with the assistance of an open-source intelligence company, as well as conversations with employees and conducting a penetration test using an external red team, I built and submitted a risk survey report outlining all the problems and threats the company faced in terms of physical security. It didn’t take much more than that before I was asked to urgently prepare a security plan to address the range of scenarios I had presented.
After more than two years of work, it can be said that the company’s physical security is in a much better place, receiving attention, which, sadly, is more than can still be said for hundreds or even thousands of large companies. These companies invest millions in cyber security but tend to overlook the physical aspect of securing assets.
But let’s return to the beginning of the article, to the subject at hand: "Physical security of the cloud." As part of the risk survey, I quickly realized that all the company’s data is stored in the cloud, and from my perspective, having all the eggs in one basket raised a red flag. Everyone knows that the "cloud" is really just a large server farm somewhere in the country or elsewhere in the world, storing and protecting data against cyber threats and, supposedly, physical access.
"Mr. CEO, I am confident the cloud is very well-secured, and I have no doubt that the IT staff was impressed by the entry process to the facility. However, since we're talking about all of the company’s data, I assume that a few thousand euros for my travel to evaluate the place won’t keep you up at night. Maybe it’s not going would cost you more sleep."
So, my friends, I traveled, I examined, I was impressed—and, as you can imagine, quite a few red flags popped up.
I’ll try to be brief and to the point by asking a question that each of us would likely ask ourselves, I assume: "Can I trust a security company to perform security actions for me without evaluating it, knowing its history, checking, and personally reviewing it?"
Always be skeptical. Don’t trust anyone blindly, and remember—the responsibility is yours as security officers.
Yes, a lot of money is invested, and the cloud is secured well and professionally, and I even saw companies that placed a private guard at the entrance to their cloud farm within the large data center. But I also discovered several gaps in the security approach, incident response, and reporting to the company in the event of an intrusion attempt.
On the one hand, the entry process was as stringent as boarding an El Al flight, even for a suspicious passenger. But simply being a customer opened all the doors to the facility, and I could walk around without supervision, passing by all the other companies’ cloud farms that rented space there. True, each farm is locked, and the area is monitored by cameras, but all I need initially is to register as a legitimate company, and voila—I’m in.
So, what would I recommend to any physical security manager whose company stores data in the cloud?
1. It is crucial to personally tour and analyze the facility, getting to know the security manager and the security method firsthand. Nothing beats personal acquaintance and seeing it with your own eyes.
2. Location – divided into two parts:
1) Choosing the data center – I would seriously consider choosing a location outside of Israel or at least over 100 km from the main office in case of an earthquake that could wipe out both the office and the data center, even though it provides a decent disaster recovery solution.
2) Our server location within the data center – try to select a space that is isolated and unidentifiable.
3. Compartmentalization – This is of utmost importance when it comes to cloud security:
1) No employee in the company should know where the cloud is located except for senior management, a small group of IT personnel, and a select few from the security team.
2) Demand compartmentalization and do not allow the cloud provider to publicize our use of their services for marketing purposes.
3) Avoid any signage at the data center itself and demand compartmentalization of the data center employees as much as possible.
4. Security measures – Every cloud facility has cameras, alarms, detectors, access control systems, security staff, a control room, etc. These all ensure the facility’s security in general, but usually do not go down to the level of individual companies. Therefore, add your own locks and codes, demand the installation of additional security measures such as alarm systems and cameras in your company’s area within the facility. These should transmit alerts to your control center or directly to your phone in case of any break-in or unauthorized access. Essentially, you should maintain full control over your little cloud in the sea of clouds housed at the facility.
5. Collaboration with IT – Remember that they have access to the facility and typically visit the cloud from time to time for maintenance and updates. They will also likely notify you if they detect anything suspicious related to the cloud. Additionally, it’s very likely that there’s a local representative on-site to handle technical issues that could shut down the company’s operations entirely. Ensure these individuals undergo background checks or any other security checks required per the company’s job classification guidelines.
6. Don’t hesitate to shop around between cloud providers, conduct a comprehensive evaluation of the security level, and demand to rent services only from a cloud provider that allows you to integrate your security measures with theirs.
Remember — A chain is only as strong as its weakest link
Comments