9 hours 48 minutes
All right, This next little piece I'm not gonna spend a lot of time on. This is just a review of physical and environmental controls. The reason I'm not gonna spend a lot of time on it as we talked about this at the beginning of the chapter said, This is just kind of Lets not forget the controls that we talked about. Never underestimate the importance of policy.
Right. So what are the physical protection policies, you know? How do we prevent piggybacking? How do we ensure that we're aware of who's in the building at all times?
How do we isolate secure data processing areas from other areas of the building? Right. What type of gates? What types of lighting? You know, that's physical security and policy will feed into that
perimeter security. It's not enough to secure the building. Secure the perimeter.
The way you get into the building is through the perimeter. So it shouldn't be on the perimeter. Don't be so. Think about gates. We think about guards at the gates. We think about, um you know where you have to swipe a card to get in past
the gate, past the security guard. We also have to think about. If we're implementing these sort of policies, how did we all did it? And how do we make sure
that we don't have vehicles that haven't been approved or we don't have people in the building that haven't been approved? You know, many times I'll goto a building now have to sign in to find a lot of I D. They'll give me a visitor's badge and I go in, and then
I may get home and realize, Oh my God, I never turned in that visitors patch.
If you care enough to make sure I jump through a bunch of hoops to get a visitor's badge, make sure I give you that visitor's badge back right, And that's not on me. That's on you now, of course, ethically. If I remembered, I would. But I'm pushing 50 years old. My memory. I'm doing the best I can these days, right?
I have never walked off premises when I've had to trade my driver's license for a visitor, dispatch
whatever reason that makes it stick with right. If you care about who you're given a badge to, make sure you get this batch is back
and audit and ensure that we don't have. We're missing 13. Visitor's badge is right We have a visitor badge Juan and visitor badge 14. What happened? Everything in the middle.
If you have a policy, make sure it's implemented and make sure the policies followed.
Right now, other physical controls revolve around a redundancy of power
we don't see of systems. You know this we've talked about earlier when we looked at technical controls, systems and hard drives network devices. So, like I said, not spending a ton of time here with your service provider. That's who's responsible for making sure the proper redundancies in place
at the C. S. P.
But again, if it's not in place, it comes back to bite us just like everything at CSP.
All right. And in the last little peace talks about backup and recovery because we've talked about that is part of just normal redundancy. It's also important piece of business continuity and disaster recovery. How is our data backed up And how do we recover? And I will tell you the only way
you know your backups are working is if you can recover
right. Don't trust the logs. Backups OK. Logs will look you in the face and lied to you. You on Lee know if it works by restoring from backup. All right. Now, we also have to make sure that the degree of protection that we apply to our information
while it's on the network waltz in storage is also applied to our backups in archives.
You know, we don't want archive files unencrypted that should be protected under hippo standards. Right, Which would require encryption. So we make sure that were consistent in our protection of data
in process were uniform and, um, and consistent with those security controls. Storage being saved. A hard drive. We're backed up or archived. You know, for future use, we have to think about using secure protocols on the network,
encrypted storage password protections. Again, this third bullet point get away from passports or this third sub bullet point
passwords. Not good enough any longer. How else? What else can we add to that? To protect our information? Geo redundant storage. So I've got you know, my server here that has everything. Store doesn't make a lot of sense to store my backups on top of that server, right?
So we want to store backups. We want to have a copy off site
continuous back up. You know what? It's based on? What your needs are. Not every organization is continually backing up files. But if you're happy at one of those organizations that has an R p. O, that's very, very small. Better figure out redundancy so that you could restore that data within the rpm.
Um, how quickly can you restore? Can you restore granular Lee? And by that I mean, can I restore just a single file? Or do I have to restore an entire,
uh, tape from backup overriding everything else that's happened for the day? We prefer that grand your granular retrieval and then the idea of d doh duplication,
making sure that we don't have a duplicate files that can lead to consistency issues with tenancy, extra space integrity, problems. We want to make sure that we're not backing up the same file multiple times. All right, so
backup and recovery considerations just kind of wrapping up the peace with disaster recovering business continuity
Certified Cloud Security Professional (CCSP)
This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.