Domain 5: Cloud Security Operations Module 49 of 70

Module 49: Physical and Logical Infrastructure

CCSP Domain 5 — Cloud Security Operations Section A 6 min read
The CCSP exam expects you to understand that cloud infrastructure security starts with the physical layer, but the cloud customer rarely controls it. Every question about physical security is really about trust, attestation, and contractual assurance.

Why Physical Infrastructure Matters on the Exam

Cloud customers do not walk through data center doors. They do not inspect locks, cameras, or mantrap configurations. Yet the CCSP exam tests your understanding of these controls because your organization's data sits behind them. The exam's real question is: how do you verify controls you cannot see?

The answer is always the same pattern: audit reports, contractual requirements, and third-party attestations. When you see a physical security question on the exam, resist the urge to pick the answer about installing cameras. You are the customer. Your job is to validate, not implement.

Physical Infrastructure Controls

Data centers implement layered physical security: perimeter fencing, security guards, biometric access, mantraps, and surveillance systems. The exam expects you to understand the layered defense model but focuses on what matters to the cloud customer:

  • Site selection: Geographic diversity, natural disaster risk, political stability. The exam tests whether you consider jurisdiction and data sovereignty when choosing cloud regions.
  • Environmental controls: HVAC, fire suppression (clean agent vs. water-based), humidity monitoring. The exam may present scenarios where environmental failures cause outages — you need to know these are CSP responsibilities in all service models.
  • Access controls: Multi-factor physical authentication, visitor logs, escort requirements. The exam tests whether audit evidence of these controls satisfies due diligence.
Exam trap: If a question asks what the cloud customer should do about physical security in an IaaS deployment, the answer is never "install cameras." It is always about reviewing SOC reports, contractual SLAs, or audit attestations.

Logical Infrastructure

Logical infrastructure is where the customer's control increases. This includes virtual networks, hypervisors, virtual machines, storage abstractions, and management planes. The exam draws a clear line between what the CSP manages (hypervisor and below) and what the customer manages (guest OS and above in IaaS).

The Hypervisor Boundary

The hypervisor is the most critical logical boundary in cloud computing. It separates tenant workloads from each other and from the host. The exam expects you to understand:

  • Type 1 (bare-metal) hypervisors run directly on hardware and are standard in cloud environments. They offer stronger isolation than Type 2.
  • VM escape is the primary hypervisor threat — a compromised VM breaking out to access the host or other tenants. The exam tests whether you recognize this as a CSP responsibility to mitigate.
  • Management plane security is critical. The APIs and consoles used to manage cloud resources are high-value targets. Compromising the management plane compromises everything.

Multi-Tenancy and Isolation

Every cloud environment is multi-tenant by design. The exam tests your understanding of isolation mechanisms: separate virtual networks, storage encryption per tenant, compute isolation through hypervisor enforcement. When a question presents a multi-tenancy concern, the correct answer typically involves verifying the CSP's isolation controls through audit reports, not implementing your own isolation at the physical layer.

Scenario Thinking

A financial services firm is evaluating an IaaS provider. The security team wants to conduct a physical inspection of the data center. The provider refuses, citing security policy, but offers SOC 2 Type II reports and ISO 27001 certification. What should the firm do?

Accept the attestation reports. In cloud computing, direct physical inspection is almost never feasible or appropriate. SOC 2 Type II reports provide independent verification of controls operating over time. The exam favors attestation-based assurance over direct inspection for cloud environments.

Common Exam Traps

  • Thinking you can inspect: Cloud customers verify through reports, not site visits.
  • Confusing logical and physical boundaries: The hypervisor is logical, not physical. Network segmentation in the cloud is logical.
  • Ignoring the management plane: API security is as important as compute isolation. Many breaches come through misconfigured management interfaces.
  • Assuming all service models are equal: Physical responsibility is always the CSP's. Logical responsibility shifts with the service model.

Key Takeaways for the Exam

Physical infrastructure is the CSP's domain across all service models. The customer's role is verification through audits and attestations. Logical infrastructure responsibility varies by service model, with the hypervisor as the critical boundary. Management plane security is a top-tier concern. Multi-tenancy isolation is verified, not built, by the customer.

Next Module Module 50: Hardware Security (HSM, TPM)