In the Age of Cloud Physical Security Still Matters

In the Age of Cloud Physical Security Still Matters
Author: Sourya Biswas, CISSP, CISA, CISM, CCSP, CRISC, CGEIT, Technical Director, NCC Group
Date Published: 19 August 2019

As a security consultant, I’ve had the opportunity to assess the security postures of clients of all shapes and sizes. These enterprises have ranged in sizes from a five-man startup where all security (and information technology) was being handled by a single individual to Fortune 500 companies with standalone security departments staffed by several people handling application security, vendor security, physical security, etc. This post is based primarily on my experiences with smaller clients.

Cloud computing has definitely revolutionized the way companies do business. Not only does it allow companies to focus on core competencies by outsourcing a major part of the underlying IT infrastructure (and associated problems), it also allows for the conversion of heavy capital expenditure into scalable operational expenses that can be turned up or down on demand. The latter is especially helpful for smaller companies that can now access technologies that before had only been available to enterprises with million-dollar IT budgets.

Information security is one area where this transformation has been really impactful. With the likes of Amazon, Google and Microsoft continually updating their cloud environments and making them more secure, a lot of those security responsibilities can be handed over to the cloud providers. And this includes physical security as well, with enterprises no longer having to secure their expensive data centers.

However, this doesn’t mean that the need for physical security in the operating environment disappears. I once had a client CEO say to me, and I’m quoting him word for word – “Everything is in the cloud; why do I need physical security?” I responded, “Let’s consider a hypothetical scenario: you’re logged into your AWS admin account on your laptop and step away for a cup of coffee; I walk in and walk away with your laptop. Will that be a security issue for you?” Considering that this client had multiple entry points to its office with no receptionist, security guard or badged entry, I consider this scenario realistic instead of just hypothetical.

I’ve visited client locations, signed in on a tablet with my name and who I’m supposed to meet, the person was notified, and I was subsequently escorted in. Note that at no point in this process was I required to verify who I am. Considering the IAAA (Identification, Authentication, Authorization, Auditing) model, I provided an Identity, but it was not Authenticated. In fact, if somebody else signed in with my name, they would have gained access to the facility considering the client contact was expecting me, or rather someone with my name, to show up around that time.

Let’s look at one more example. One of my clients, dealing with sensitive chemicals, had doors alarmed and CCTV-monitored. However, they left their windows unguarded, with the result that a drug addict broke in and stole several thousand dollars’ worth of material.

Smaller companies on smaller budgets obviously want to limit their spend on security. And with their production environments in the cloud, physical security of their office environments is the last thing on their minds. However, most of them have valuable physical assets, even if they don’t realize it, that could be secured by spending minimally. Here are a few recommendations:

  • Ensure you have only a single point of entry during normal operations. Having an alarmed emergency exit is, however, highly recommended.
  • Ensure that the above point of entry is covered by a camera. If live monitoring of the feed is too expensive, ensure that the time-stamped footage is stored offsite and retained for at least three months so that it can be reviewed in case of an incident.
  • Install glass breakage alarms on windows. Put in motion sensors.
  • In addition to alarms for forced entry, an alarm should sound for a door held open for more than 30 seconds. Train employees to prevent tailgating.
  • Require employees and contractors to wear identification badges visibly.
  • Verify identity of all guests and vendors before granting entry. Print out different-colored badges and encourage employees to speak up if anyone without a badge is on the premises.
  • Establish and enforce a clear screen, clean desk and clear whiteboard policy.
  • Put shredding bins adjacent to printers. Shred contents and any unattended papers at close of business.
  • Mandate the use of laptop locks.

Please note that the above recommendations are not expensive to implement. While some are process-based requiring employee training, most require minimal investment in off-the-shelf equipment. Of course, there are varying degrees of implementation – for example, contracting with a vendor to monitor and act on alarms will cost more than just sounding the alarm.

In summary, while physical security requirements have definitely been reduced by moving to the cloud, it would be foolhardy to believe they have disappeared. This relative neglect of physical security by certain companies, and more, is the subject of my upcoming session at the ISACA Geek Week in Atlanta.

What other physical security measures do you think companies often ignore but would be easy to implement? Respond in the comments below.