Domain 7: Physical Security
advertisement
CSA Guidance Version 3 Domain 7: Physical Security The purpose domain is to assist cloud service users to share a common understanding of physical security with cloud service. Physical security can be defined as the measures taken to ensure the safety and material existence of data and personnel against theft, espionage, sabotage, or harm. In the context of This section maps to Cloud Control cloud information security, this means about information, Matrix Domains IS-01 and IS-02 as products, and people. well as ISO/IEC 27002 Clause 9 Proper information security deploys many different layers to achieve its goal this is referred to as "layered security." When implementing physical measures managers should acknowledge that no measure is 100 percent secure, information security uses the depth of its layers to achieve the highest form of security. A weakness in any one of these layers will cause security to break. Physical protection is the initial step in a layered approach to cloud information security. If it is nonexistent, weak, or exercised in malpractice, the best logical security information security measure will fail. An effective physical security program flows from well-developed policy, processes, and procedure. Well-developed physical security programs will result in information security management solution that is scalable with the business, repeatable across the organization, measurable, sustainable, defensible, continually improving, and cost-effective on an ongoing basis. Overview. This domain addresses physical security Establishing a Physical Security Function Asset Management Facility Security Facility Security Authorization Copyright © 2011 Cloud Security Alliance This section maps to Cloud Control Matrix Domains FS-01, FS-02, FS03 and FS-04 as well as ISO/IEC 27002 Clause 9 CSA Guidance Version 3 1.1 Establishing a Physical Security Function To establish proper physical security for IT equipment, network technology, and telecommunications assets in a cloud environment, it is important that responsibilities be assigned to personnel who are appropriately placed in an cloud providers organization. An individual in a management position within a cloud provider is responsible for managing planning, implementation, and maintenance of plans and procedures. Personnel responsible for physical security need to be trained and have their performance evaluated. In establishing a physical IT security function within a cloud environment, the following functions are required: Physical security for IT equipment, network technology, and telecommunications is often overlooked in many organizations. This has been caused by large numbers of organizations installing additional computer equipment, networks and gateways in buildings that did not have proper security facilities designed to secure the equipment. The human resources that are in place for physical security How legacy physical security efforts have been managed and staffed prior to transition to cloud The financial resources available for security efforts Physical security can be as simple as adding a locked door or as elaborate as implementing multiple layers of barriers, armed security guards and security placement. Proper physical security uses the concept of layered defense, in appropriate combinations to deter and delay intrusions, this is referred to as passive defense, and detects and responds to intrusions, this is referred to as active defense. Obstacles, to frustrate attackers and delay serious ones Detection systems Automated Security response designed to repel, catch or discourage attackers Physical security normally takes one of four forms in design and implementation Environmental design Mechanical, electronic and procedural access control Intrusion detection and automated response procedures Personnel Identification and Authentication Copyright © 2011 Cloud Security Alliance CSA Guidance Version 3 1.2 Human Resources Physical Security A knowledgeable actor with physical access to a console can This section maps to Cloud Control bypass most logical protective measures by simply rebooting Matrix Domains IS-15, FS-05, FSthe system or accessing the system that is already turned on 06, FS-07 and FS-08 as well as with root or administrator access, an unlocked wiring closet ISO/IEC 27002 Clause 9 can provide hidden access to a network or a means to sabotage existing networks. The purpose of the human resources physical control is to make sure those closest to the data do not disrupt operations and compromise the cloud. Roles and responsibilities Background Agreements Employment Agreement Employment Termination Roles and responsibilities are part of a cloud environment, in which people and processes, along with technology, are integrated to sustain tenant security on a consistent basis. Separation of responsibilities, requiring at least two persons with separate job duties to complete a transaction or process end-to-end, or avoiding a conflict of interest, is required to properly protect cloud consumers. Segregation of duties originated in accounting and financial management. The elimination of toxic role combination such as, not having the same person who approves a purchase order also able to facilitate payment. The principle is applied role division in cloud development and operations, as well as a software development life cycle. This principle supports cloud provider’s goal to protect and leverage the organization's information assets. A cloud security management program requires the assignment of key roles and responsibilities, which may be held by individuals or groups. These roles and responsibilities must be formally defined in the organization’s information security policy. They should also be defined in a charter document that describes the cloud providers mission, objectives, roles, and responsibilities. The development of effective employment agreements must include employee hiring practices, background checks (when permitted under local law) and job descriptions; security clearances; separation of duties and responsibilities; job rotation; and hiring and termination practices 1.2 Permissions Permissions Proper facility design Adopt integrated physical and logical security systems that reinforce one another Copyright © 2011 Cloud Security Alliance CSA Guidance Version 3 Adopt service level agreements that require the inheritance of employment security obligations and responsibilities by later levels of the supply chain. 1.3 Recommendations Recommendations o Cloud providers should consider adopting as a security baseline the most stringent requirements of any customer. To the extent these security practices do not negatively impact the customer experience, stringent security practices should prove to be cost effective in the long run by reducing risk as well as customerdriven scrutiny in several areas of concern. o Providers should have robust compartmentalization of job duties, perform background checks, require/enforce non-disclosure agreements for employees, and limit employee knowledge of customers to that which is absolutely needed to perform job duties. 1.4 Requirements Requirements Proper structural design for physical security Respect the interdependency of deterrent, detective and authentication solutions Inspect and account for personnel risks inherited from other members of the cloud supply chain and take active measures to mitigate and contain personnel risks through proper segregation of duties Copyright © 2011 Cloud Security Alliance CSA Guidance Version 3 Bibliography Copyright © 2011 Cloud Security Alliance
