CCSP Domain 3 - Physical Security
Download a FREE Printable PDF of all the CCSP MindMaps!
Your information will remain 100% private. Unsubscribe with 1 click.
Transcript
Introduction
Hey, I’m Rob Witcher from Destination Certification, and I’m here to help you pass the CCSP exam. We are going to go through a review of the major topics related to physical security in Domain 3, to understand how they interrelate, and to guide your studies.
This is the fifth of seven videos for Domain 3. I have included links to the other MindMap videos in the description below. These MindMaps are a small part of our complete CCSP MasterClass.
Physical Security
Physical security is critical in achieving confidentiality, integrity and availability.
There is an expression I like: if you can touch the box, you own the box.
In other words, if an attacker can gain physical access to a device like a firewall or a server they can easily gain control of the device. This is because our equipment has all sorts of bypass controls built in, like factory reset buttons.
We need to carefully control who can gain access to our facilities, specific rooms, and certain equipment.
Physical security is also critical in achieving integrity and availability as physical security controls like UPSs and generators provide a good clean supply of power.
HVAC systems provide cooling air at the right temperature and humidity,
and fire detection and suppression systems help to ensure our facilities don’t burn to the ground.
All very important things in achieving confidentiality, integrity and availability.
Safety of people
There is one primary goal of physical security, and that is the safety of people. People are the most valuable, the most important asset of any organization and physical security controls must prioritize the safety of people above all else.
Security Survey
We’re going to talk through a bunch of physical security controls in this MindMap, and an important consideration is: how do you decide which physical security you should put in place in your data center. The way we answer that question is through the security survey, which as I discussed in more detail back in the data center design MindMap. To summarize, the security survey is a process where you can identify the valuable assets of the cloud data center, the risks associated with those assets, and what controls should be implemented to mitigate the risks. In other words, which controls you should put in place.
Categories of Controls
There are five categories of controls used in physical security:
Deter Delay Detect Assess Respond
Deter, delay, detect, assess and respond.
- Deterrent controls discourage things like trespassing, property damage, theft and intrusion through signage and the environmental design of a building and the land around it.
- Delay controls delay a risk from occurring, for example locks delay an attacker from gaining unauthorized access.
- Detective controls detect if a risk has occurred. CCTV cameras are a perfect example of a detective control.
- Assess controls are used to determine the method of attack and the target.
- Respond controls take appropriate actions to remediate the risk.
Layered Defense
When we are implementing the aforementioned controls, we never want to implement a control in isolation. If there is only one control protecting an asset and that control fails then bad stuff will happen.
This is why we want to have multiple layers of controls, and at each layer have a combination of preventive, detective and corrective controls, or in physical security terms deterrent, detective and assess and respond controls. This is the concept of defense in depth.
Perimeter
The first layer of defense protecting a facility is often an outside perimeter like a fence. Another perimeter will be the exterior walls of the building.
What is the best way to secure the perimeter? Minimize the number of entrances and exits, the number of doors.
Landscape
Landscaping refers to the foliage around a building, the trees and the plants. You want to ensure the foliage is maintained to provide clear sight lines for cameras and that a would-be attacker can’t just climb up a tree and into the building.
Grading
Grading refers to how the land is sloped around a building. You want the ground to slope down and away from the building so that in the event of a flood you're nice and dry on an island and not at the bottom of a lake.
Doors / Mantraps
Doors are the primary way that we control who can gain access to a building and specific parts of the building.
A social engineering attack on doors is tailgating or piggybacking–an intruder follows an authorized person through a door after they have unlocked it. This is a super common and successful attack that can be prevented by using specialized doors: mantraps or turnstiles.
Mantraps are two doors, one after another. You must unlock the first door, enter a small space, close the first door behind you and only then can you unlock the second door. Mantraps prevent someone from tailgating or piggybacking.
Infrastructure
Lets now talk about the three major infrastructure services that are critical to the operation of a facility: network, power, and HVAC
Network
Network requirements are for a reliable connection to the largest distributed network in the world–the Internet–or to other locations of the organization.
Power
It’s tough to find equipment nowadays that doesn’t require electricity and harder yet to imagine a business that could continue to function without electronic systems of some sort. Accordingly, security is very concerned with providing a consistent supply of clean power.
And by clean power I don’t mean from renewable sources like wind or solar– which are awesome sources of power.
Instead, by clean power, I mean alternating current (AC) power that oscillates at a perfect 60 Hz with no noise or distortion in the line–it’s a perfect sine wave.
UPS
A couple of important devices used to provide a consistent supply of clean power: UPSs and Generators.
UPSs–uninterruptible power supplies–are basically giant batteries that provide instantaneous but short term power.
Generator
UPSs give us time until the generator is able to start up and come online. Generators are typically large diesel engines connected to an alternator. They can provide long-term backup power–for hours or even days depending on how much fuel is onsite.
HVAC
HVAC stands for heating, ventilation and air conditioning. These are the systems that provide air to a building at the correct temperature and humidity. They also filter the air. We talked about the ideal temperature and humidity ranges in the previous MindMap.
NFPA
The NFPA is the National Fire Protection Association, which issues a few key standards that you need to know about. The first is NFPA 75, which is a standard of fire protection for information technology equipment, while the second is NFPA 76, which is a fire protection standard for telecommunications facilities and data centers.
Fire Detection
Ok, now for a favorite topic of mine, fire!
Fire is a significant risk. And like any other risk we need to put controls in place to mitigate the risk of fire. Whenever we implement controls, we want a combination of preventative, detective and corrective controls.
What’s the best way to prevent a fire? Limit or eliminate any combustible materials.
You can never entirely prevent the risk of fire though, so if a fire does occur you want to detect it as quickly as possible, so we’ll talk about different fire detection methods.
As soon as you have detected a fire you want to correct it as quickly as possible, so we’ll finish this MindMap by talking about different fire suppression systems.
But first, let’s discuss fire detection systems. There are three major types: flame detectors, smoke detectors and heat detectors.
Flame
Flame detectors detect the infrared and ultraviolet light created by flames. Flame detectors are essentially video cameras that you point at something you are concerned might start on fire.
Smoke
There’s always smoke before a fire, and one of the best ways of detecting a fire as early as possible is using a smoke detector. There are two major types of smoke detectors, ionization and photo-electric.
Heat
Finally, we have heat detectors, often referred to as thermal detectors or rate of rise detectors. They are essentially temperature sensors that are monitoring for a rapid rise in temperature. If the temperature rapidly spikes you probably have a fire.
Which of these systems will detect a fire as early as possible? Remember there is always smoke before a fire, and the type of fire we are most concerned with is flaming or fast fires. So, pick ionization detectors.
Fire Suppression
Lets now talk about how we suppress a fire. There are two major types of systems: water-based, and gas-based. Water-based systems are cheaper than gas-based systems, but water and expensive electrical equipment in a datacenter are a terrible combination.
So, gas-based fire suppression systems are cost justified in data centers.
Water
Water-based systems are common in office buildings, hotels, and other spaces where some water is not going to destroy millions of dollars worth of equipment. There are four types of water-based systems you should know about.
Wet Dry Pre-action Deluge
Wet-pipe systems always have pressurized water in the pipes, just waiting to be released. Wet-pipe systems are the cheapest but have significant downsides: you can’t use them where the pipes might freeze, and because there is pressurized water in the pipes at all times you are inevitably going to get leaks.
Dry-pipe systems look identical to wet-pipe systems, but the key difference is the pipes are dry. They are filled with a pressurized gas, and water only comes flooding into the dry pipes when needed.
There are also pre-action and deluge systems and both of course use water to put out a fire.
Gas
Gas based systems use various types of gas to put out the fire. Some gas-based systems displace the oxygen from a room. No oxygen equals no fire.
But also, no oxygen equals no human life so it is critical to have safety systems in place to allow people to exit the datacenter before the gas is released.
Another method some gas-based systems will use to suppress a fire is to interrupt the chemical exothermic process that is fire.
INERGEN Argonite FM-200 Aero-K
Here are the 4 major types of gasses you need to know about: INERGEN, Argonite, FM-200 and Aero-k.
All of these are gas-based fire suppression agents.
There is one gas I will point out that is very intentionally not listed here: Halon. That gas has traditionally been used in data centers, however, it has been banned globally as it destroys our ozone layer. So, don’t pick Halon on the exam–t’s bad for the environment.
That’s it for our overview of physical security within Domain 3, covering many of the important concepts you need to know for the exam.
If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.
I will provide links to the other MindMap videos in the description below.
Thanks very much for watching! And all the best in your studies!
