TRUSTED AND SECURE COMPUTING
PROFESSOR: Dr. Selwyn Igwe
University of Cumberland’s
ISOL634 Physical Security
Sai Ram Devarasetty
Sri Divya Kadiyala
Sai Krishna Periketi
Praveen Reddy Velma
This report begins with the idea of managing cloud computing with the data centers with regards to what steps an organization should take in order to establish maximum security to implement secured and trusted computing. Various types are challenges are encountered with the data center exposing its vulnerabilities due to poor managing or human errors. However, there are safety measures that can be taken to eliminate these vulnerabilities. These safety measures have been discussed in detail with respect to the building a secured data center. There are various types of challenges within the industry that we must counter and will be analyzed throughout this research paper. Hypervisors and operating systems have ultimate access to hardware, and they could cause a lot of the issues of our secure computing. Vulnerabilities could be avoided by taking countermeasures.
Large scale industries in the recent times have been switching to cloud computing a lot recently, the reasons behind this is not so complex it is because the organizations do not need to worry about setting up the environment, ease of use and they do not need to worry about disaster recovery because they can roll up a third-party expertise as a part of the deal (Miller, 2016). Cloud computing offers cloud-based services ideal for any kind of business even if their business is fluctuating. It is easy to scale up the cloud if subscribed organization’s business is growing and cut it down based on the bandwidth thus providing flexibility. Loss of laptop by an employee of an organization is no longer an issue if the they are using cloud, they can simply erase the data on the lost laptop through the cloud (Pearson, 2003). Major IT organization are planning to migrate to cloud, an organization would only need to subscribe to a cloud service and keep the cash flowing. They would not have to worry about maintaining the servers or constantly patching them, all of this is taken care by the Cloud service company. Many cloud services have been introduced into the market that provide various services depending on the industry type but what matters to the organization is if the chosen service is secured and trusted. Cloud service is not to be misunderstood something that lies in the atmosphere like a satellite, it is simple data center with loads of servers and super computers in a secured building. Generally, a company offering cloud services would set up a huge data center with loads of security inside and outside. The criteria are that how well secured is the data center from the outside and what barriers are used and precaution taken to prevent intruders. The offering company has to focus on the physical security equally like the software security (Pearson, 2003). They would have to use the best infrastructure starting from the material used to build the fences, types of glass, type of wiring inside the building, security administration and even the security guards. This result showing that the data center is secured and thus gaining the customers trust. Our focus is on what measures are to be taken for a data center in order to prevent intruders from the outside and also from the inside.
Employees are not always employees, they might be a hacker in disguise. It is important to always know about the intentions of an employee rather than just hiring him just because he is technically good at work. It is the organization administration’s responsibility to look over the employees and perform a required background check on them before giving them the job. Once the employee has joined he has to be provided with the necessity badges and ID card according to his role in the organization (Miller, 2016). This is called Access Control and this managed chief security in collaboration with the administration. Now, this process between the HR and security officer has to be clear because this might lead to security breaches. One such instance happened in Transformations Autism Treatment Center (TACT), in Bartlett, Tennessee, the former employee to just logged in to the cloud from his residence and steal the data from the cloud (Burgesss, 2018). Valuable health data of 300 people was stolen but what he did with data was unknown, however TACT informed FBI about this and the employee was caught. According to TACT, they have followed the basic process like any other company would when they terminate the employee and what went wrong was the former employee was still able to login into TACT’s cloud with his expired credentials. TACT should have notified their cloud service terminate his access completely. This is called off-boarding, and without a comprehensive off-boarding process, you risk being exploited by a malevolent former employee. Former employees whose access is not terminated can attempt to access data from which they should now be excluded (Burgesss, 2018). This is one of the challenge that an organization faces when they are dealing with a cloud-based service, now let’s look into what other challenges that a cloud service data center faces and their counter measures.
Physical threats to IT equipment incorporate such things as power and cooling issues, human mistake or malignance, fire, holes, and air quality (Fennelly, 2012). A portion of these, including threats identified with power and some identified with cooling and fire are routinely checked by worked in capacities of power, cooling, and fire concealment gadgets. For instance, UPS frameworks screen control quality, load, and battery wellbeing; PDUs screen circuit loads; cooling units screen info and yield temperatures and channel status; fire concealment frameworks – the ones that are required by construction laws – screen the nearness of smoke or heat. Such observing ordinarily takes after surely knew conventions mechanized by programming frameworks that total, log, translate, and show the data (Anderson, 2003). Threats that are checked along these lines, by pre-built usefulness composed into the gear, it will not require any uncommon client ability or arranging with a specific end goal to be adequately overseen, if the observing and translation frameworks are all around designed. It may have certain sorts of physical dangers in the data center and they are not real ones and they don’t present the client with pre-outlined, worked in observing arrangements. For instance, the risk of poor dampness levels can be anyplace in the data center, so the number and arrangement of moistness sensors is a vital thought in dealing with that danger. Such threats can possibly be disseminated anyplace all through the data center, at variable areas that are to room layout and equipment positioning (Fennelly, 2012).
The distributed physical threats covered by this paper fall into these general categories:
• Air quality threats to the IT equipment such as temperature and humidity which comes under liquid leaks
• Threats that are involved by human presence or unusual activity
• Air quality threats to personnel for example foreign airborne substances
• Dangerous smoke and fire which come from data center hazards
Evaluate security controls on physical infrastructure and facilities
The security of an IT system also depends on the security of the physical infrastructure and facilities. In the case of cloud computing, this extends to the infrastructure and facilities of the cloud service provider. The customer must get assurance from the provider that appropriate security controls are in place. Assurance may be provided by means of audit and assessment reports, demonstrating compliance to such security standards as ISO/IEC 27002. The security controls include:
? Physical Infrastructure and facilities should be held in secure areas. A physical security perimeter should be in place to prevent unauthorized access, allied to physical entry controls to ensure that only authorized personnel have access to areas containing sensitive infrastructure. Appropriate physical security should be in place for all offices, rooms, and facilities that contain physical infrastructure relevant to the provision of cloud services.
? Protection against external and environmental threats. Protection should be provided against fire, floods, lightning, earthquakes, civil unrest or other potential threats that could disrupt cloud services.
? Control of personnel working in secure areas. Controls should be applied to prevent malicious actions by any personnel who have access to secure areas.
? Equipment security controls. Controls should be in place to prevent loss, theft, damage or compromise of assets.
? Supporting utilities such as electricity supply, gas supply, telecommunications, and water supply should have controls in place. Controls are required to prevent disruption to cloud services either by failure of a utility supply or by malfunction (e.g., water leakage). This may require the use of multiple routes and multiple utility suppliers.
? Control security of cabling. Controls are needed to protect power cabling and telecommunications cabling to prevent accidental or malicious damage.
? Proper equipment maintenance. Controls should be in place to perform necessary preventive maintenance of all equipment to ensure that services are not disrupted through foreseeable equipment failures.
? Control of removal of assets. Controls are required on the removal of assets to avoid theft of valuable and sensitive assets.
? Secure disposal or reuse of equipment. Controls are required for the disposal of any equipment and particularly any devices which might contain data such as storage media.
? Human resources security. Appropriate controls need to be in place for the staff working at the facilities of a cloud service provider, including any temporary or contract staff.
? Backup, Redundancy and Continuity Plans. The provider should have appropriate backup of data, redundancy of equipment, and continuity plans for handling equipment failure situations. Effective physical security requires a centralized management system that allows for correlation of inputs from various sources, including property, employees, customers, the general public, and local and regional weather. For more detail on the controls and considerations that apply to each of these items, refer to the ISO/IEC 27002 standard.
Ways to build physical security into your data center:
Build on the right spot: We must make sure that the buildings should be at some distance from headquarters (Approximately 20 miles) and 100 feet away from main road. Avoid Bad neighbors such as Airports, Chemical Facilities and Powerplants and Bad news such as Earthquake fault lines and Area Prone to Hurricanes, Floods and “Data Center” Sign
Have redundant utilities: To Accommodate the Building’s Special needs Datacenters need two sources of Utilities such as Water and Electricity. Electricity sources back to two separate Substations and Water Back to two different main Lines. Lines should be Underground and should come into different areas of the building
Pay attention to walls: Walls plays major role for counter the threats for the Data Centers. The cheap and best effective barrier against the Elements and Explosive devices is Foot- thick concreate walls with Kevlar lined.
Avoid windows: The best choice to secure the data from exploded materials is to avoid windows, if you think you must have windows, limit them to break room or Administrative area and use thick Bomb- resistant Laminated Glass.
Use landscaping for protection: Huge tress, boulders and gulleys hide the data center building from passing cars, buses, trucks etc., and hide it form obscure Security devices like fences and help to avoid vehicles from getting too close and they look very nice and descent for building
Keep a 100-foot buffer zone around the site: While landscaping method failed to protect the buildings from vehicles, we use crash-proof bar riers like Bollard planters. Bollard planters are thick and more attractive and effective than other devices.
Use retractable crash barriers at vehicle entry points: Control access to the parking lot and loading dock with a staffed guard station that operates the retractable bollards. Use a raised gate and a green light as visual cues that the bollards are down, and the driver can go forward. In situations when extra security is needed, have the barriers left up by default, and lowered only when someone has permission to pass through.
Plan for bomb detection: Data Centers especially sensitive and likely target should have guards and use the mirrors to check each vehicle including employee vehicle as well as visitors and delivery vehicles to avoid bomb explosions and also provide the portable bomb- detection and disposal devices.
Limit entry points: To avoid unnecessary Access to the data and threats for the data centers, establish one main entrance and one entrance for the loading dock. There are also additional advantages for building the limit entry points is less cost.
Make fire doors exit only: Construction of Fire doors are also one of the best methods of avoiding threats. Install the fire doors that don’t have handles on the outside and built the fire codes for exists, so that if an any of the exit doors are opened, a loud alarm should make sound and send a response from the Security command Center.
Use plenty of security cameras: Installation of Surveillance Cameras around the building, building entrances, building exits and at every access point throughout the building helps to minimize the thefts of data and helps to secure the data centers efficiently. Combination of motion detection devices, Low -light cameras, Pan-tilt-Zoom Cameras and fixed cameras are most used ideally. Footage should be digitally recorded and secured in stored offsite.
Protect the building’s machinery: Use concrete walls to secure two areas such as mechanical area of the building, which provides environmental system and continuous power supplies and the second one is generators. To enter into the mechanical area in building make sure all the contract workers and other people like repair crew are always accompanied by an employee.
Plan for secure air handling: Make sure the heating, ventilating and air-conditioning systems can be set to recirculate air inside the room rather than drawing in air from the outside. This could help protect people and equipment if there were biological or chemical attack or heavy smoke spreading from a nearby fire. For added security, put devices in place to monitor the air for chemical, biological or radiological contaminant.
Ensure nothing can hide in the walls and ceiling: In most secure and sensitive areas of the data centers we must make sure the internal walls run from slab ceiling all the way to subflooring where wiring is typically used. Try to avoid drop down ceilings for the walls constructed inside the room.
Use two-factor authentication: Biometric identification is becoming standard for access to sensitive areas of data centers, with hand geometry or fingerprint scanners usually considered less invasive than retinal scanning. In other areas, you may be able to get away with less-expensive access cards.
Watch the exits too: Monitor entrance and exit not only for the main facility but for more sensitive areas of the facility as well. It’ll help you keep track of who was where when. It also helps with building evacuation if there’s a fire.
Prohibit food in the computer rooms: Provide a common area where people can eat without getting food on computer equipment.
Install visitor rest rooms: Make sure to include bathrooms for use by visitors and delivery people who don’t have access to the secure parts of the building.
Humans are reportedly the weakest link in the security supply chain (Shakti Mohan, 2016). This is because humans play the vital role in defining the security and it’s obvious that we all make mistakes. Even a simple mistake can result into a major breach all the attacker needs is an entry point into the organization and if that can be achieved through a basic human error then all the security you have implemented physically and virtually is of no use. Though humans are the weakest in the security supply chain, there is no way to completely overcome human errors so instead they have to overcome this by educating their employees on how a huge loss can happen to the organization due to some simple error. The organization must conduct sessions explaining and making them understand about the security policies that the organization follows. An organization should also hire responsible and experienced candidates by performing a background check on the candidates. They should also conduct occasional security drills just to ensure the reaction time of their employees and the effectiveness of their security system as well as to know the weak points. A really good risk assessment plan has to be made by a risk management professional to prevent from excessive loss. Bottom line is that with all these vulnerabilities in the security world, any organization is never completely safe but at the same time an organization must have a plan to mitigate any unknown threat.
Christopher Burgees,3rd,2018 The Trusted and Valued Insider Retrieved from https://www.csoonline.com/article/3265109/security/former-employee-visits-cloud-and-steals-company-data.html
David Grawrock, The Intel Safer Computing Initiative. Intel Press 2006.
D. Lie, Architectural support for copy and tamper resistant software, Ph.D. thesis, Department of Electrical Engineering, Stanford University, Stanford, California, USA, December 2003.
Fennelly, L. J. (2012). Handbook of loss prevention and crime prevention. Waltham, MA.
Mitchell, C. (2005). Trusted Computing. Stevenage: IET.
Miller, M. (2016). What Is Least Privilege and Why Do You Need It? Retrieved from https://www.beyondtrust.com/blog/what-is-least-privilege/
Pearson et al., Trusted Computing Platforms, Hewlett Packard and Prentice Hall 2003.
R. Anderson, Cryptography and competition policy | Issues with ‘trusted computing’, Proceedings of PODC ’03, July 13-16, 2003, Boston, Massachusetts, USA, ACM, 2003.
S. Crane, Privacy preserving trust agents, Tech. Report HPL-2004-197, Hewlett-Packard Laboratories, Bristol, UK, November 2004.
Srinivasan, S. (2013). Is security realistic in cloud computing? Journal of International Technology and Information Management. 22.4, p47.
Shakti Mohan, 9th,2016 Software Integrity Retrieved from