Infrastructure Security
Overview
Infrastructure security is a core CSP responsibility encompassing data centers, compute resources, storage systems, and network equipment. This lesson explores ISO 27017 requirements for securing cloud infrastructure.
Learning Objectives
- Understand data center security requirements
- Identify compute infrastructure security controls
- Recognize storage security best practices
- Implement network infrastructure protection
- Apply ISO 27017 infrastructure controls
Data Center Security
Physical Security Controls
ISO 27017 Control A.11.1.1 - Physical Security Perimeter
Requirements:
- Multiple security perimeters
- 24/7 monitored access points
- Biometric authentication
- Security guards and patrols
- CCTV surveillance
- Intrusion detection systems
Implementation Layers:
Perimeter Layer 1: Site Boundary
├─ Fencing and barriers
├─ Vehicle checkpoints
└─ Perimeter monitoring
Perimeter Layer 2: Building Entrance
├─ Mantrap systems
├─ Biometric scanners
├─ Security guards
└─ Visitor management
Perimeter Layer 3: Data Center Floor
├─ Card access + PIN
├─ Escort requirements
├─ Activity logging
└─ Video surveillance
Perimeter Layer 4: Server Cages/Racks
├─ Locked cabinets
├─ Individual access control
└─ Asset tracking
Environmental Controls
A.11.1.4 - Protecting Against External and Environmental Threats
| Threat | Control | Implementation |
|---|---|---|
| Power failure | Redundant power | N+1 UPS, diesel generators |
| Cooling failure | Redundant HVAC | Multiple cooling systems |
| Fire | Suppression | Pre-action sprinklers, FM-200 |
| Flood | Detection/prevention | Sensors, raised floors |
| Earthquake | Structural design | Seismic-rated construction |
Compute Infrastructure Security
Hypervisor Security
CLD.6.3.1 - Virtual Machine Hardening
Hypervisor Hardening:
- Minimal install (remove unnecessary components)
- Regular security patching
- Hardened configuration
- Network isolation
- Audit logging enabled
Multi-Tenant Isolation:
Isolation Mechanisms
├─ CPU Isolation
│ └─ Dedicated cores or strict scheduling
├─ Memory Isolation
│ ├─ Hardware-assisted virtualization
│ └─ Memory encryption (AMD SEV, Intel TDX)
├─ Storage Isolation
│ ├─ Encrypted volumes per tenant
│ └─ Logical separation
└─ Network Isolation
├─ Virtual networks per tenant
└─ Traffic filtering
Hardware Lifecycle Management
A.11.2.5 - Asset Disposal
Secure Decommissioning Process:
- Data wiping (DoD 5220.22-M standard)
- Physical destruction (if required)
- Asset tracking/logging
- Certificate of destruction
- Recycling or disposal
Storage Infrastructure Security
Data-at-Rest Encryption
A.10.1.1 - Policy on Use of Cryptographic Controls
Encryption Tiers:
| Tier | Method | Key Management | Use Case |
|---|---|---|---|
| Platform | AES-256 | Provider-managed | Default protection |
| BYOK | AES-256 | Customer-managed in CSP KMS | Enhanced control |
| Client-side | Customer choice | Customer-managed | Maximum control |
Storage Redundancy
A.17.2.1 - Availability of Information Processing Facilities
Storage Redundancy Strategy
Local Redundancy (within data center)
├─ RAID configurations
├─ Multiple storage arrays
└─ Real-time replication
Geographic Redundancy (across regions)
├─ Asynchronous replication
├─ Multiple data centers
└─ Recovery Point Objective (RPO) < 15 minutes
Network Infrastructure Security
Network Segmentation
A.13.1.3 - Segregation in Networks
Segmentation Architecture:
┌────────────────────────────────────┐
│ Public Internet │
└───────────┬────────────────────────┘
│
┌───────────▼────────────────────────┐
│ Edge Layer (DDoS Protection) │
├────────────────────────────────────┤
│ DMZ (Load Balancers, WAF) │
├────────────────────────────────────┤
│ Application Tier (Web Servers) │
├────────────────────────────────────┤
│ Data Tier (Databases) │
├────────────────────────────────────┤
│ Management Network (Isolated) │
└────────────────────────────────────┘
DDoS Protection
A.13.1.1 - Network Controls
Protection Layers:
- Edge Protection: Traffic scrubbing, rate limiting
- Network Layer: Packet filtering, geographic blocking
- Application Layer: WAF, bot detection
- Capacity: Massive bandwidth (10+ Tbps)
Key Takeaways
- Multiple physical security layers are essential
- Hypervisor security is critical for multi-tenancy
- Encryption at rest should be default
- Network segmentation reduces risk
- Hardware lifecycle includes secure disposal
- Environmental controls prevent physical threats
- Redundancy ensures availability
Self-Assessment
- What are the four physical security perimeter layers?
- Who is responsible for hypervisor security in IaaS?
- What encryption standard should be used for data at rest?
- What is the purpose of network segmentation?
- How should decommissioned hardware be handled?