Physical Security in the Cloud based on BSI Basic Protection

Datum: 24.10.2019

Physical Security

Physical Security in the Cloud based on BSI Basic Protection

The cloud, like the corporate server, is an infrastructure that needs physical protection. The cloud provider is responsible for the physical security in the cloud and ideally adheres to the guidelines of the BSI Basic Protection.
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) compiles the recommended basic protection from various aspects, so-called building blocks, some of which build on each other. For the physical security of the cloud, the recommendations for the following building blocks can be used:

  • The building blocks for basic IT protection B 2.4 Server room
  • The formation of security zones
  • Basic protection for data centres

The additional building blocks to be used are described in B 3.303 Storage Solution / Cloud Storage. Here, the security modules are also named on the basis of different storage systems. For example, for a Network Attached Storage (NAS) module B 3.101 General server is used, for Storage Area Networks (SAN) also B 4.1 Heterogeneous networks.

When does physical security take effect in the cloud?

The physical security of a data center, a server room and thus also the cloud can be threatened by various threats. These can roughly be divided into threats from natural hazards, such as fire or flooding, and man-made threats.

Ideally, the cloud infrastructure should be located in a fire-proof room that is also protected from water ingress. Other measures are needed to protect against man-made damage.

For example, it makes sense to define security zones in order to integrate security appropriately. For reasons of personnel security, it is advisable to have a controlled indoor area and, for example, to require registration of visitor traffic. The controlled internal area is in turn separated from the internal area, to which only employees have access, and this in turn from the high-security area. The high-security area is only accessible to selected and strictly controlled personnel.

Physical Security in the high security area

The physical elements of the cloud should, similar to those of a server, be found in a specially created room. It is important that these rooms are only accessible to a few authorized persons. If data from competing companies is stored with a cloud provider, it makes sense for different managers to have access to the respective infrastructure. In addition, other authorized persons should have access to backup data than those who take care of the live data. This shared responsibility reduces the risk of human error and thus secures the data on a personal and physical level. Of course, backups and live data should also be kept physically separate. Ideally, these are different server rooms in order to make destruction by fire or water unlikely. Georedundancies can also make sense. In any case, a physical separation of the data by different servers in different cages is desirable.

Physical Security to communicate externally: ISO 27000

The security regulations in companies can usually be freely defined and implemented by the company itself. This makes it all the more difficult for customers looking for a cloud provider, for example. Reliable and generally valid, validated certification procedures have proven their worth in order to avoid having to go through and check the provider’s regulations in detail. One of these is ISO 27000, which is based on the building blocks of the BSI basic protection. In order to be certified, companies must undergo an audit by an independent auditor. The reliability of the certificate is thus guaranteed.

Back to overview