Domain 3: Cloud Platform & Infrastructure Security Module 31 of 70

Module 31: Physical and Environmental Security

CCSP Domain 3 — Cloud Platform & Infrastructure Security Section B 6–8 min read
The CCSP exam tests whether you understand that physical security in cloud is the provider’s responsibility — and that your job is to verify it through audits, certifications, and contractual requirements.

You Cannot Walk the Data Center Floor

This is the fundamental shift from traditional to cloud security. In on-premises environments, you control physical access. In cloud, you surrender that control entirely.

The exam tests your ability to manage this loss of control through:

  • Right to audit clauses in contracts
  • SOC 2 Type II reports covering physical security controls
  • ISO 27001 certification with Annex A physical security controls
  • CSA STAR certification for cloud-specific assurance
When the exam asks how to verify physical security at a CSP, the answer is third-party audits — not personal inspection. CSPs do not allow customers to roam their facilities.

Defense-in-Depth: Physical Layers

CSP data centers implement concentric rings of physical security. The exam expects you to recognize these layers:

  • Perimeter — fencing, vehicle barriers, guard posts, CCTV
  • Building exterior — reinforced walls, limited entry points, no signage identifying the facility
  • Building interior — reception, visitor management, mantrap entry points
  • Server rooms — badge + biometric access, individual cabinet locks, CCTV with retention
  • Equipment — tamper-evident seals, hardware security modules, secure disposal

Each layer adds friction for an attacker. The exam may ask which control is MOST effective at a particular layer. Think about what threat the layer is designed to stop.

Environmental Threats and Controls

Environmental hazards threaten availability. The exam expects you to match threats to controls:

  • Fire → Clean agent suppression (FM-200, Novec 1230), smoke detection, pre-action sprinkler systems
  • Water → Raised floors, leak detection sensors, drainage systems
  • Power failure → UPS (battery), generators (diesel/gas), automatic transfer switches
  • Temperature → HVAC, hot/cold aisle containment, monitoring sensors
  • Humidity → Too high causes condensation; too low causes static discharge

Exam trap: Water-based sprinkler systems damage equipment. If the exam asks about the BEST fire suppression for a data center, the answer is a clean agent system — not sprinklers. Pre-action sprinkler systems (two triggers required) are acceptable but not preferred over clean agents.

Media Handling and Destruction

When cloud storage media reaches end of life, the CSP must ensure data cannot be recovered. The exam tests these concepts:

  • Cryptographic erasure — destroy encryption keys, rendering data unreadable (preferred in cloud)
  • Degaussing — electromagnetic destruction (only works on magnetic media, not SSDs)
  • Physical destruction — shredding, pulverizing (CSP responsibility)
  • Secure overwrite — writing patterns over data (time-consuming, not practical for SSDs)
In cloud, cryptographic erasure is the standard approach. You cannot ask the CSP to physically shred a specific disk because your data is likely spread across many disks in a distributed storage system.

Supply Chain Physical Security

The exam may test awareness of hardware supply chain risks:

  • Tampered hardware components inserted during manufacturing or shipping
  • Counterfeit components with hidden backdoors
  • CSP practices for verifying hardware integrity upon receipt
  • Chain of custody documentation for sensitive equipment

Major CSPs have started designing custom hardware (AWS Nitro, Google Titan) specifically to reduce supply chain risk by controlling the entire hardware stack. The exam may reference this as a risk mitigation strategy.

Natural Disaster Considerations

CSP facility selection accounts for natural disaster risk. The exam expects you to understand that geographic diversity is the primary mitigation:

  • Facilities should not share common disaster risks (same flood plain, seismic zone, hurricane corridor)
  • Multi-region deployment protects against regional catastrophes
  • The customer, not the CSP, must design their application for cross-region failover

The exam will not ask you to memorize specific disaster statistics, but it will test whether you understand that physical location diversity is a design decision with both availability and compliance implications.

Next Module Module 32: Risk Assessment for Cloud Infrastructure