It's important to keep your most critical IT equipment in locations that are safe from environmental risks like flooding, fires, and natural disasters. The Cloud Security Alliance recommends assessing potential risks and choosing equipment locations carefully to minimize the chances of catastrophic damage. Let's explore this control in more detail.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full matrix here. The matrix provides a comprehensive set of controls that are relevant for cloud computing environments. It complements other industry standards like the CIS Benchmarks.
Who should care?
This control is relevant for:
- IT managers responsible for datacenter operations
- Business continuity and disaster recovery planners
- Risk management and compliance professionals
What is the risk?
Placing critical equipment in high-risk locations exposes the organization to:
- Damage or destruction of equipment due to fires, flooding, earthquakes, etc.
- Extended outages while damaged equipment is repaired or replaced
- Permanent loss of data if equipment is destroyed
- Financial losses and reputational damage
Choosing safe, resilient locations is an effective control to reduce the likelihood and impact of these risks.
What's the care factor?
For organizations whose core business operations depend on IT systems, this should be a high priority control. Even a few hours of unexpected downtime can be extremely costly in terms of lost revenue, regulatory penalties, and customer frustration.
However, for less critical or non-production workloads, it may be acceptable to use locations with a higher risk profile in exchange for lower costs. The key is to consciously evaluate and accept the risks.
When is it relevant?
This control should be applied when:
- Choosing a site for a new datacenter build-out
- Selecting a colocation provider
- Evaluating the resilience of existing datacenters
- Developing business continuity and disaster recovery plans
It is less relevant for pure public cloud deployments where the CSP is responsible for the physical datacenter. However, it's still important to understand the CSP's datacenter design and choose regions and availability zones that align with your resilience requirements.
What are the trade-offs?
Choosing low-risk locations may involve higher costs:
- Real estate costs in areas less prone to natural disasters
- Higher construction costs for facilities hardened against environmental risks
- Increased distance from end users which can impact application performance
- Difficulty attracting IT talent in remote locations
Organizations need to balance resilience and cost based on the criticality of each workload.
How to make it happen?
- Inventory your IT equipment and classify by criticality to the business
- Work with vendors to identify potential equipment locations
- For each location, assess environmental risks including:
- Proximity to flood plains
- Seismic activity
- Frequency of severe weather events
- Neighboring hazards like chemical plants
- Establish a risk rating for each location (e.g. low, medium, high)
- Determine risk appetite and choose locations that meet the resilience requirements for each workload
- Ensure the site has appropriate protective design elements:
- Flood barriers and pumps
- Earthquake bracing for racks
- Redundant power and cooling
- Fire suppression
- Establish processes to re-assess risk on a periodic basis
What are some gotchas?
- Don't underestimate the difficulty of accessing a location during a disaster. Roads and airports may be damaged.
- Have a plan to relocate equipment and resume operations in an alternate site if the primary site becomes unusable.
- Know the local regulations regarding construction in hazard-prone areas. Permitting can be complex.
- Confirm the site has sufficient utility capacity and redundancy (power, water, network connectivity).
What are the alternatives?
- Use multiple geographically dispersed locations so that no single event can take out the entire operation. Design applications to fail over gracefully.
- Deploy applications on highly-resilient public cloud infrastructure in regions known to have low risk of natural disasters.
- For non-critical applications, consider using a single site and accepting more downtime risk to reduce cost.
Explore further
- CIS Critical Security Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
- CIS Critical Security Control 12: Boundary Defense
- NIST SP800-53 PE Family: Physical and Environmental Protection
