• Asset Tracking: Inventory management (barcodes, RFID, asset tags); know what you have to protect it
• Asset Protection: Anti-tamper, encryption at rest, secure transport, environmental controls (HVAC)
• Configuration Management: Baseline hardening, version control, change management; prevents "drift" that breaks failover
• Backups: Full (everything), Incremental (changes since last backup), Differential (changes since last full); Deduplication removes redundant blocks to save storage
• Snapshots: Point-in-time copy of VM/disk; not a backup (same storage, corrupted if primary fails); fast rollback for patching errors
• Instant Failover: Seamless cutover to secondary system; requires replication (synchronous for zero RPO)
• Physical: Shredding (paper), Degaussing (magnetic destruction), Pulverizing/Drilling (drives); Certificate of Destruction required for audit trail
• Cryptographic: Crypto-shredding (destroy encryption keys rendering data unreadable); faster for cloud storage; ensure no key recovery possible
• Site Redundancy:
– Hot: Live mirror; immediate failover (highest cost)
– Warm: Partial equipment/data; hours to activate
– Cold: Empty space/hardware; days to weeks (cheapest)
• Clustering:
– Active/Active: All nodes process load; fault tolerant but complex
– Active/Passive: Standby takes over on failure; simpler but wasted standby capacity
• Power: PDU (Power Distribution Unit—rack-level); UPS (Uninterruptible Power Supply—battery for graceful shutdown); Generator (long-term outage, diesel/propane)
• Vendor/App Diversity: Avoid single point of failure (e.g., split ISPs, multi-cloud); prevents supply chain monoculture
• Deception Tech:
– Honeypot: Single fake system to lure attackers
– Honeynet: Entire fake network for advanced analysis
– Honeyfile: Bait documents (fake salary.xlsx) that trigger alerts when opened
– Fake Telemetry: Decoy credentials/logs to confuse adversaries
• Resilience Testing: TTX (Tabletop Exercise—walk through scenarios/discussion-based); Failover Tests (actual live cutover to validate recovery time)
• Perimeter: Fencing (height/climb deterrent), Bollards (vehicle barriers), Barricades, Lighting (deterrent + CCTV aid), controlled Ingress/Egress points
• Access Control: Mantrap/Vestibule (interlocking doors; prevents tailgating), Access Badges (proximity/smart cards with photo), Cable Locks (laptop/desktop anti-theft)
• Surveillance: CCTV (deterrent + detective; retention policies), UAV/Drones (aerial perimeter monitoring or threat detection)
• Colocation: Cages (physical separation in shared datacenter), Protected Cable Distribution (conduit to prevent tapping/interference)
• Motion: PIR (Passive Infrared) sensors detect body heat
• Noise: Glass-break detectors, vibration sensors
• Duress: Panic buttons (silent alarm) for immediate response
• Temperature: Environmental monitoring for server overheating; tied to HVAC/BMS
Quick Checks: Hot site = ready now; Warm = data there, needs spin-up; Cold = empty building. Snapshots ≠ Backups (same failure domain). Active/Active shares load; Active/Passive waits. Crypto-shredding beats physical destruction for speed but requires strong key management.