This is our third module, the fourth module is our chapter review. We have about 15 slides, 20 slides are for this module. We'll start off by looking at on-premise services, then at Cloud-based services and some other network controls. Historically, we hosted our services close to our clients. The service were close to the clients on a local area network. Core network devices helping to connect all other different servers and clients together. We want high availability, we want physical security for this environment and logical security, logical access control, but also physical access control. We talked in Chapters 2 and 3 about the importance of locking your data center, where Chapter 3 we talked about controls and the interdependence between logical and physical controls. Monitoring, making sure we know what's happening, critical components, what are the critical components in your data center? What are the critical components just to even more generically that if you don't have a data center, what are the critical components in your home? What things do you need to keep operations going? Links back to the business continuity that we looked at, that idea of business impact analysis. What things are essential? All of this equipment is typically housed in cabinets. These cabinets very tall server cabinets and network cabinets, sizes vary wildly in data centers, the diagram is a pretty good indication of their appearance. But you do get in small offices, home offices, things that look almost microwave. If you have a microwave, that size and shape form factor maybe with a single switch, a single router in. It does vary widely. What we do want to consider, what ever kind of data center or network cabinet we have, we want to consider the physical security and the logical security. Common to both our data center and our network cabinets now is the use of some door access control system and CCTV, they're both pretty cheap controls to implement now. A word of warning or a word of caution, in some small remote sub offices, satellite offices, you tend to see small network cabinets in the main office, they're not secured physically. In fact the door to the cabinet is left open for people to plug things in, unplug things. Somebody has physical access to one of those network cabinets, they can undermine your logical security. Really important and the reason I mentioned a small satellite office is just because compliance sometimes becomes less comprehensive the further you are away from headquarters. One of these small offices without a dedicated secure environment, they may not have the physical same capabilities. There are still things we can do, we can just as simple as locking the cabinet door, keeping it closed. Making sure we have proactive maintenance, we do see now pretty much everything using IP. We have desk-based lighting systems, heating, ventilation, air conditioning, all using IP systems. What does this mean for us? Well, a couple of things, if you look at the target retailer, the attack that compromised targets, almost a decade ago now was based on one of their third parties who was managing a refrigeration contract. Some of these supply chain issues who has access to some of these systems because we're broadening what users IP in the network, the idea of the network. We may need more people to have access to it so that IP convergence can have a broad range of risks. Because of IP convergence as well, we may want to consider what we protect in terms of power. Telephony used to be telephones in a power cup would still work because the low voltage was provided from the telephone exchange 2, 3, 4, 5 miles away. With voice-over-IP that power comes from your local network cabinet and in fact, all network cabinets between the handset, and your data center, and the telephone network need to be protected. We need communications to be live all the way across your network, it's no longer the case that we can just rely on the telecoms provider. We may now want to consider that. Think about in the event of a power cut needing to contact law enforcement agencies. What does that mean if you're using voice-over-IP? Monitoring, all of these things need monitoring carefully temperature, humidity, whole range of things to monitor and of course security. Coming back to temperature, fire suppression. We see different types of portable extinguisher there in the diagram. You'll see each of these has a different type category. Some are water-based, some are gas-based, some are powder-based. Gas-based are very common where there is electricity. This is because water does not work well with electricity. It leaves high levels of damage but also can create a health risk or risk to human life. Water and electricity, water conducts electricity therefore can create a risk to human beings. Much more with our portable extinguishers, much more common to see them using carbon dioxide, Co_2 extinguishers. In the data center, we certainly don't have sprinklers. They're not going to be a good mix for us. We use gas or aerosol-based systems and we need to make sure these are appropriately sized. Why? Well, because there are toxicity issues. Most gas-based or aerosol-based systems are safe for human beings within acceptable limits. If you have a gas-based system that is in a large room with only four network cabinets, there will be a lot of gas installed in pressurized canisters to cover the space. If you then install lots more network cabinets, you install 20 network cabinets now, there may be too much gas for that space, and so the toxicity levels will rise. This is why we need to make sure they are appropriately sized for the environment. To make sure they're effective, but also to make sure that they're not going to be toxic for human beings. Some of the oldest systems we saw were actually toxic and not safe for human beings. Modern gas-based systems are safe if appropriately sized, if appropriately implemented. All gas-based systems or water-based systems need checking and maintaining periodically. Usually if you have these systems, you have a requirement to make sure that they're checked. The legal requirement, it's usually mandated not in every jurisdiction but in most. Memorandum of understanding. Here, what we can do is if we have a data center and somebody else has a data center, we could try to form some reciprocal agreement. An MOU is an agreement between two or more parties. You could agree that maybe your backups and your backup tapes, some of your backup capabilities are hosted at a partner agency and you then reciprocate. You do the same for them. Number of problems here. Firstly, it's hard to enforce. This is generally either an informal agreement or an agreement that isn't as well formed as a contract would ordinarily be. Secondly, it can be hard to gain the level of trust you need to sign one of these. If you think of two companies competing in the same sector. It is unlikely they would be able to form this agreement or that they would want to. Where you do see these happening or where I've seen this work is in government sectors, health care, or involuntary sectors. Effectively where the different agencies aren't competing with each other. Maybe two state governments working between each other or two city councils working with each other or two health care agencies. We need to make sure we consider any privacy implications as well. If we're having different people accessing data, what is the risk that arises from that? Are there any jurisdiction issues in terms of personally identifiable information and how it's managed? Contracts and service level agreements, much more typical. I would argue contracts, these are legal documents that are signed. A contract lasts for a period of time, one year, three years, five years, however long. Typically, for that huge period of time we want something to help us manage the service that's being delivered. The service level agreement is what does that it supports the contract and it's checking things that reoccur typically. Is what we signed in the contract being delivered operationally? Is the bandwidth available, the availability and so on? Is it working as it should? Due diligence as a concept we want to investigate and research potential suppliers. We don't just extend trust. We want to make sure that we understand the level of risk. Are they a good supplier? What's their history? Do they operate to a framework? Are they accredited? Then in accordance with the SLA, we perform monitoring and compliance. It can be very difficult to get a contract that lasts for a long period of time to actually factor in all the changes in technology that we will see. Operationally things do change.
