Location, location, location. It\u2019s been the mantra of real estate professionals for years, but it needs to be the mantra of those charged with protecting IT infrastructure, too.<\/p>\n
No matter how cloud-based your organization is, you still rely on physical buildings to house servers, barge lines, data centers, racks, network devices and the people who operate them. Tools like physical or digital keys, cameras, alarm and badge systems, and proxy cards control access to who can enter facilities. But in our age of drone strikes, suicide bombers and GIS services such as Google Maps, how do you protect your physical IT infrastructure?<\/p>\n
Companies often address the challenge by placing critical IT infrastructure in unmarked buildings or working with companies like Google to hide satellite images of their infrastructure.<\/strong> But these solutions don\u2019t get to the root of the problem \u2014 how online vulnerabilities can expose your buildings, just as they expose your digital assets.<\/p>\n Applying a Zero-Trust approach to your physical IT infrastructure starts with the Zero-Trust pillars we\u2019ve already addressed in this blog series<\/a>. Allowing offsite access to company laptops without online identity<\/a> or endpoint protection \u2014 as well as failing to provide end-to-end encryption or to secure apps<\/a> \u2014 open the door to bad actors.<\/strong><\/p>\n Here are some examples of how those bad actors can breach infrastructure on various levels.<\/p>\n Imagine that two employees at a large insurance company are exchanging emails about work they need to do at an unmarked, offsite data center. During the exchange, one of them drops the address of the facility.<\/p>\n However, without MFA, bad actors only need a username and password to gain access to the company\u2019s email system. Requiring an additional device for login, such as the employee\u2019s cell phone, adds an additional layer that significantly reduces the risk.<\/p>\n Failing to adhere to regulatory requirements can put you at risk, as well.<\/strong> While few companies do so intentionally, over time, the requirement to process Payment Card Industry (PCI) data or other sensitive information separately from other data processing systems can slip. In addition to violating regulatory requirements, the failure to segment such data puts you at risk of legal exposure from regulators or from customers with vulnerable data. This is especially relevant in highly regulated industries like healthcare, manufacturing and financial services.<\/p>\n Significantly, segmentation regulations apply whether your services are on premises or hosted in the cloud. That means cloud providers must also comply.<\/strong> Microsoft, for example, has been independently audited by the Securities and Exchange Commission and deemed to comply with regulations for infrastructure in Azure and throughout the Microsoft 365 environment, including SharePoint, Teams, OneDrive, Yammer and Exchange).<\/p>\n Below are some of the major regulations governing segmentation and infrastructure. Others may apply to your industry:<\/p>\n It\u2019s a little-known fact that your cell phone may mark photos with their subject\u2019s geographic location. Say you take a picture of an unmarked building housing a data center and sent it to a colleague whose device is breached. Unless you have disabled your iPhone or Android device\u2019s ability to disable geolocation services, a tech-savvy person could reverse engineer the photo and find out exactly where the facility is.<\/strong><\/p>\n In fact, the same vulnerability applies to personal photos. If you post family photos on social media, for example, someone could obtain your family\u2019s location from the photo.<\/p>\n Consider the challenge the military or security agencies face when they are entrusted to protect facilities housing sensitive data. As military leaders exchange information about the location of materials at facilities, for example, that information must be encrypted not only where it is stored<\/a> and when it is traveling from one device to another but also as it is being used. Failure to do so could lead to disaster.<\/p>\n\n \u201cHow Vulnerable Is My IT Infrastructure?\u201d Let Us Count the Ways!<\/h2>\n
Individual Employees<\/h3>\n
Regulatory Requirements<\/h3>\n
Segmentation Regulations<\/h4>\n
\n
Infrastructure Regulations<\/h4>\n
\n
Geolocation<\/h3>\n
National Security<\/h3>\n