This is the third in a series of posts that will drill deeper into cloud security and some of the key questions it sparks. In the second installment, I highlighted the spheres of responsibility and looked at which security components are Rackspace’s responsibility, and which are the customer’s. In this installment, I will discuss the physical security measures Rackspace has in place to protect its cloud customers’ data.
Cloud computing is virtual. It happens, well, in the cloud. Because of that it’s often easy to forget that somewhere data and information reside on real physical servers in brick-and-mortar locations that need to be secure.
At Rackspace, we ensure that our data centers are highly secure, impenetrable fortresses and have put into place a number of measures to protect our cloud customers’ data and sensitive information. We’ve been incessant on this point since we first opened our doors over 12 years ago and we’ve learned a lot along the way. Here are a few of our standard security measures.
We require two-factor authentication to access all data center facilities to ensure only authorized personnel can enter. Our data centers also feature electromechanical locks controlled by biometric authentication (hand geometry or fingerprint scanner) and key-card/badge. And access to secure sub-areas is granted on a role-specific basis – if you’re not supposed to be in there, you won’t be allowed in there.
We have closed-circuit video surveillance installed at all entrance points on the interior and exterior of the buildings that house our data centers. Cameras are monitored 24x7x365 by on-site security personnel and support data retention for 90 days. Centralized Security Management Systems are deployed at all data centers to control the Electronic Access Control Systems and closed circuit television networks.
Further, sensitive equipment such as information processing facilities, including customer servers, is housed in secure sub-areas within each data center’s secure perimeter and is subject to additional controls.
Our physical security measures also apply to Rackspace employees, aka Rackers. First, authorized Rackspace personnel’s access to the facilities is reviewed monthly by management. Second, we have put into place termination and role-charge control procedures that remove physical and logical access rights when access is no longer necessary or appropriate.
Because Rackspace data centers are operational 24×7, they are manned around the clock by security teams and engineering/operations personnel. We’ve also implemented perimeter defense measures including walls, fences, gates and anti-vehicle controls. For deliveries, the loading bases at our data centers are separate areas secured by defined procedures and security controls.
Unauthorized visitors are not permitted access to data centers. And visitors who are authorized are required to follow a specific set of rules, including:
- Authorized approvers must specifically grant visitor access to the data centers at least 24 hours before a scheduled visit.
- Visitors must have a valid reason for entering the data center.
- Visitors must sign the visitor’s log, present a valid photo ID and specify the reason for visiting and a Rackspace point of contact.
- Visitor badges differ in appearance from Rackspace employee badges and do not provide any control over doors, locks, etc.
- All visitor access is logged. This policy applies equally to Rackspace employees not assigned to the data center.
- Visitors, including Rackspace customers, are strictly forbidden from accessing the data halls themselves and other secure sub areas.
- Visitors must be escorted at all times while at any Rackspace facility.
- Data center management performs a monthly audit of security and visitor access logs.
Those are the steps we take and the physical security measures we implement to ensure that our cloud customers can be confident in the security of their data and servers while hosted in a Rackspace facility. Security in the cloud is not just virtual; there are a host of physical controls that must be in place to ensure secure computing in the cloud.
That’s it for this week. I hope you found it informative. Be sure to tune in next week where I’ll talk in depth about network security.