A key component of security for an IT system is the security of the physical infrastructure and facilities that house the system. In the case of cloud computing, this extends to the infrastructure and facilities of the cloud service provider. Appropriate physical security controls are in place for IBM® Cloud. This document gives an overview of the physical security that we built into our cloud solutions.
The physical security of your cloud server depends on the way you have it implemented. The different IBM Bluemix® and IBM SoftLayer® environments are described below, and how to enact physical security to protect your cloud assets.
IBM Bluemix Local
Bluemix Local runs within your enterprise. For Bluemix Local, you own the physical security for the local instance. Your data center is secured behind your company firewall.
IBM Bluemix Public and IBM Bluemix Dedicated
Bluemix Public and Bluemix Dedicated run on top of the oftLayer Infrastructure as a Service and rely on IBM SoftLayer for physical and environmental security.
Every aspect of a IBM SoftLayer data center, from location and accessibility to power density and redundancy, is designed to ensure its security, resiliency, and efficiency. This lets IBM personnel and IBM customers host business workloads, including sensitive and regulated workloads, knowing that the physical environment is managed to 100% availability service level agreements (SLAs) and is audited to these standards through IBM SoftLayer’s many independent third-party audits.
Third-party security audits and reviews
IBM SoftLayer is subject to multiple different independent third-party audits, including SOC1 and SOC2, ISO27001 and PCI DSS v3.1. Each of these audits covers the IBM SoftLayer Infrastructure Management System (IMS), the manage-from environment, and all operational data centers. If a data center is brought on-line during an audit review cycle, or if it has not been operational long enough to be included in a given cycle, it will be included in the next “available” audit and cycle.
For example, a data center that has been operational for less than six months is not eligible to be included in a SOC1 or SOC2 audit. That data center will be included in the next available audit, which may be a PCI audit or an ISO 27001 audit. So, while it may take a full year for a data center to be included in any given audit, it will typically take much less than that for it to be included in one of IBM SoftLayer’s independent third-party audits.
Audit reports are available to IBM SoftLayer customers on request. A listing of all of IBM SoftLayer’s compliance achievements is available from IBM SoftLayer. You can download “public” reports and certifications from this site, including the ISO 27001:2013 certificate, ISO 27017:2014 certificate, ISO 27018:2015 certificate, and SOC3 report.
Physical infrastructure and facilities security for IBM Cloud
Because physical security in Bluemix Public and Bluemix Dedicated is dependent on the underlying IBM SoftLayer infrastructure, let’s look at how IBM implements physical and environmental security at all IBM SoftLayer data centers.
Physical security for the perimeter
All data centers have multiple layers of physical security, starting with access controls at the facility perimeter working inward to the data center building, the building lobby, the building interior, and controlled rooms within the data center building, including the raised floor server rooms, network closets, electrical equipment and utility rooms, and the IBM SoftLayer staging areas.
Exteriors of buildings are kept free from undergrowth and are adequately lit. Doors (such as emergency exits) do not have exterior handles or exposed hinges and are monitored by CCTV. IBM SoftLayer data centers do not have exterior windows, nor are the windows to secured areas within the data center. CCTV logs are kept for at least 90 days.
Security guards perform regular walk throughs of the interior halls and building exterior and will include tests to make sure that doors to secured areas are secured and locked.
Physical entry controls
Entry to all IBM facilities requires proximity badge or magnetic-stripe badge based authentication. Access to data centers is recorded on CCTV and monitored by the facility’s security guards. If an employee has forgotten or lost their badge, they will be issued a temporary access based valid for one day, but only after their continued employment has been validated.
Each data center has at least one security entry point that is always staffed and may include one of more access controlled entry way that is monitored by CCTV. Each controlled area requires at least badge reader based authentication and sensitive areas (server rooms, network closets, utility closets) require badge and biometric authentication. Access attempts are logged and logs retained for at least one calendar year. Repeated failed access attempts will trigger an alert to the security guards, who will investigate.
Access to the data center does not in turn confer access to the secured rooms within the data center. Employee access is based on job role, for example, so that server technicians do not have access to the network closet, and only trained facility staff have access to power feed termination rooms.
Visitors, such as auditors, must be pre-approved and must provide a government-issued ID on entrance. Visitors may only enter through the staffed security entry point. Visitors will be provided with a badge for identity purposes; this badge identifies the wearer as requiring escort at all times and does not confer access to any secured areas within the data center. Visitor access logs are retained in paper and electronic form for at least one calendar year.
Securing offices, rooms, and facilities
Within each data center, all offices and rooms areas are protected by badge access with additional biometric based authentication required for secured areas such as the server room, network closet and utility closet. All access attempts are logged and reviewed with any repeated unsuccessful access attempts (against interior or exterior doors) triggering an alert to the physical security guards. CCTV cameras will focus in on these areas and guards will investigate “in person.”
Secured rooms do not have exterior facing windows or doors. Doors are covered by CCTV monitoring so that security guards can monitor and investigate any suspicious behavior.
Within the raised floor server room, perimeter construction is “slab-to-slab” meaning it is not possible to gain access through raised floors or dropped ceilings. Raised floor tiles are inspected as part of regular walk throughs.
Protecting against external and environmental threats
External and environmental threats may impact the “paint”, “power” or “pipe” of the data center. This is convenient way to refer to the responsibility for the building and facility (the “paint”), the utility systems (“power”) and network connectivity (“pipe”). Each is addressed below.
Paint and power (building, utilities)
IBM SoftLayer data centers are built to withstand environmental threats and are not located (for example) in flood plains. Data centers such as the Tokyo TOK01 are built in earthquake resistant structures.
All IBM SoftLayer data centers maintain multiple power feeds from independent utility providers, with dedicated generators in a N+1 configuration with Uninterruptable Power Supply (UPS) battery backup. Within the raised floor server room, Power Distribution Units (PDUs) ensure continued power distribution to each row. IBM SoftLayer has diesel capacity to ensure at least 24-hours of of backup power with refueling provisions from multiple providers in place.
Backup and redundant systems are tested on a regular basis, including monthly generator tests to ensure proper roll-over across back-up generators. Maintenance is performed against these components according to manufacturer’s specifications.
Heating and cooling (HVAC) mechanisms, such as CRAC units, CRAH units, air handlers and/or chillers, are in place to manage temperature and humidity for the premises. IBM SoftLayer’s unique hot-cold row configuration allows us to run our data centers in an efficient manner, continually monitored through the local Building Management System (BMS) and regular walk-throughs and inspections.
All facilities are protected by smoke and fire detection alarm systems as well as fire suppression systems. Fire suppression systems include both fire extinguishers and pre-action sprinkler systems and are tested on a regular basis.
Regular firedrills are conducted, including “announced” and “unannounced” drills. Individuals are required to exit the building and follow the directions of the appointed fire drill captains including rendezvous at published meeting places.
Network connectivity from external network “Points of Presence” (POP) providers includes multiple, physically redundant optical network cables. If any of these is broken, because of the (not-so-proverbial) backhoe based network cable cut, the remaining cables will carry the network traffic until a new optical connection can be established. This may result in degraded performance but will not result in a data center’s being cut off from the rest of the infrastructure.
These controls let IBM SoftLayer manage to and assert a 100% availability SLA for the IBM SoftLayer IaaS.
Working in secure areas
All IBM facilities, including corporate office buildings and data centers, follow physical security policies and procedures to ensure the safety and security of individual employees. This includes restricting access to buildings based on job role, as well as continued monitoring of the interior and exterior physical environment to look for threats and abnormalities.
All IBM sites, data center and office (“corporate”) have physical security guards. Security guards perform regular walkthroughs of the facility including parking garages and other areas. Security guards are available to escort staff to their cars after hours and will respond to the IBM 24-hour emergency call number.
Delivery and loading areas
The delivery, loading, and other areas where unauthorized persons may enter the premises are controlled. Shipments are pre-arranged and require authorization to access the data center facility perimeter.
Equipment siting and protection
IBM SoftLayer data centers are built to withstand environmental threats and are not located (for example) in flood plains. Data centers such as the Tokyo TOK01 are built in earthquake resistant structures. Within the data center, utility equipment is all located in dedicated, secured areas that are accessible only to those with the appropriate job role. Thus a server room technician does not have access to the diesel storage tank farm or to the generator rooms.
Servers are hosted in separate, raised-floor server rooms that require badge-and-biometric authentication and are subject to both access logging and CCTV monitoring and recording. Within the server room, servers are marked by barcode and do not have any customer identifying information.
All IBM SoftLayer data centers maintain multiple power feeds from independent utility providers to protect against failures with any one provider. The N+1 configuration of dedicated generators means that there is at least one independent back-up generator for resiliency of backups. Uninterruptable Power Supply (UPS) systems ensure continued power to the data center if (both, independent) utility feeds are interrupted until the backup generators are brought fully on-line. Within the raised floor server room, Power Distribution Units (PDUs) ensure continued power distribution to each row.
IBM SoftLayer has diesel capacity to ensure at least 24-hours of backup power with priority contracts for refueling from multiple providers. This ensures that in the case of a prolonged utility outage, diesel will be continually provided.
Heating and cooling (HVAC) mechanisms are also maintained in an N+1 configuration to ensure independent heating and cooling for the data center facility.
As an interesting side note, when the National Football League (NFL) SuperBowl championship game was played in Dallas, IBM SoftLayer took all of its data centers “off the grid” and ran off diesel for three days, to lessen the load on the overall Dallas Metroplex utility grid. Not only was this the right thing to do for Dallas area residents, it allowed us to test and confirm the diesel delivery process including emergency refueling.
Network termination points, at both IBM SoftLayer Points of Presence and data center terminations are located in secured areas. These badge-and-biometric secured areas are accessibly only by those network engineers with the appropriate job role, and is logged and monitored.
All infrastructure equipment is regularly inspected (typically as part of daily walkthroughs) and regularly tested and maintained according to manufacturer’s specifications. Heating, cooling and utility equipment is managed by trained data center provider staff, with the same levels of access control as all other data center support personnel. Inspections, maintenance and suspected or actual faults are logged and maintained by the data center provider. If a vendor must be brought in for specific maintenance (such as specific maintenance to N+1 generator farm), this access is pre-approved and supervised.
Infrastructure (servers, devices)
The server rooms are maintained to constant temperature and humidity to ensure operational environment for servers and devices (such as routers and switches). If physical maintenance is required for a customer’s bare metal server, such as adding additional hard drive capacity or adding a GPU, this will only be undertaken in response to written request and approval by the customer. The request and approval dialog between IBM SoftLayer and the customer is recorded in a SoftLayer service ticket that can be downloaded by the customer for import into the customer’s service management tools as required.
Removal of assets
Infrastructure assets (those supporting the IaaS service) are not removed from the premises. IBM SoftLayer does not support off-site asset storage, such as tapes or disk backups. All assets are kept onsite and only removed when they are end-of-life and have been subject to the appropriate NIST 800-88 purge processes.
Note that in some circumstances IBM may move inventory between data centers, but this is only the case of inventory that has never been in service or has been subject to a purge of all data. IBM does not move servers containing customer data, with or without customer permission.
Secure disposal or re-use of equipment
Customers have primary responsibility for the deletion of any data prior to de-provisioning a IBM SoftLayer ordered server or service. IBM ensures that servers and services are subject to at least a NIST 800-88 compliant “cleanse” if not a purge on de-provisioning.
Bare-metal servers are subject to a NIST 800-88 based purge on de-provisioning, including a DoD-grade wipe of the hard drives, BIOS flash, and a TPM-wipe (for a server that was ordered with IntelTxT enabled). This ensures that the server is ready for the next customer.
When a server or hard drive is removed from service, it is subject to the same purge process, hard drives are locally crushed and then sent off-site (by secure courier) for certified destruction.
Human resources security
Appropriate controls are in place for all staff—including temporary and contract staff—working at facilities that are related to IBM Cloud. Note that temporary and contract staff will not have access to the Cloud data centers.
- When an employee accepts an offer to work at IBM, he or she must undergo a background check and agree to IBM’s terms of employment.
- IBM does not require employees to sign agreements for a particular customer. IBM employees are bound to their terms for all clients.
- A standard set of pre-employment verifications are conducted and controlled by HR for all new employees and independent contractors.
- Deviations from the standard are scrutinized by HR on a case-by-case basis. HR guidelines are followed to ensure that suitable qualifications for employment are met. Hiring policies require a minimum level of education and experience, completion of all application forms, references, background and criminal record checks, as well as execution of confidentiality statements.
- All new hire candidates are required to complete a job application form. Employment eligibility verification is completed by HR for all new employees. Some positions require pre-employment testing. IBM reserves the right to waive the application process and background check on any candidates who are hired at a director level or above. Upon successful hiring of a candidate, a New Hire Form is completed and management approves employment.
- All employees are required to sign an information security policy. The information security policy contains information regarding logical, physical, and environmental security practices along with a policy of protecting customers’ confidential information. Employees are required to sign an acknowledgement confirming their understanding of the employee handbook, including updates, and their roles and responsibilities contained within.
- Additionally, all new hires are required to sign a confidentiality/non-disclosure agreement.
- IBM has an extensive security training program and information is communicated regularly to employees and contractors. Each employee is required to recertify his or her security training yearly.
- All IBM employees take yearly security awareness training, regardless of role. Additional training is provided as required based on role.
Exit process and termination
- In the event that an employee resigns or is terminated, IBM’s HR Termination Checklist is followed. This includes deactivation of the user in the IBM SoftLayer Enterprise Registry and removal of all privileges, as well as collection of badges, computers, and SoftLayer-issued assets.
- IBM documents policies for user privilege management, including role change and termination. The policy details are not shared externally. Generally, the network and database access rights are revoked by the IT Department and facilities access is revoked by the Operations and Facilities Department.
- Physical and logical access for terminated personnel is revoked in a timely manner.