The first line of defense is to implement security controls to protect the security of data-center assets, such as server farms, routers, switches, wiring closets, network firewalls, and so on, from both natural and human threats. Anti-tailgating measures, video surveillance, physical access-controlled barriers, password protected consoles, port locking, and so on are a few examples of physical security measures. Connected assets should also implement hardware-based root of trust, tamper resistance, secure boot and updates, and other endpoint security controls described in Chapter 4, Endpoint Security and Trustworthiness. ISO 27002 section 11, PCI DSS 3.2 requirement 9, and other standards (CSCC) provide guidance on these controls.

In the case of multi-tenant architectures, compute, network, and storage resources are shared but require adequate isolation between tenant workloads. Depending on the SLA, isolation can be implemented at the bare metal and physical hardware...