Beitrag von Tobias Undeutsch, Juni 2025

Data Center Security – Protection Mechanisms of the Backup ONE Swiss Cloud

We are frequently asked how we build and protect the infrastructure in our data centers to keep our Backup ONE Swiss Cloud available with peace of mind and restful nights.

I'd like to discuss some basic principles for operating secure cloud and general IT infrastructures.

The Buildings

Our Backup ONE Swiss Cloud is physically hosted in two data centers. One in Zurich (CH-EAST) and the other in Geneva (CH-WEST). Since operating the buildings ourselves makes no economic sense, and there are professional providers who can supply us with space (racks or cages), electrical power including emergency power supply and failsafe reliability, as well as cooling for our systems, we don't operate the buildings ourselves. We work with Equinix and Stack Infrastructure for this purpose.
A large part of the security of our cloud concerns physical security. Thanks to our collaboration with professional data center operators, the physical security of our infrastructure is always guaranteed with minimal effort on our part.

Physical Security

Physical security of IT infrastructure includes:

  • Access Control
    Only authorized personnel may have physical access to the IT infrastructure. This is regulated through access control systems such as key cards, PIN codes, or biometric identification. Entrances to sensitive areas are monitored to ensure only authorized persons enter.
  • Environmental Protection
    IT infrastructure is sensitive to temperature and humidity fluctuations. It's important to create a controlled environment to prevent overheating and other environmental damage. Fire and smoke detectors are crucial for early warning in case of fire.
  • Protection against Theft and Manipulation
    Burglar alarms and systems serve to detect unauthorized entry and trigger alarms. Surveillance cameras help document suspicious behavior and act as a deterrent.
  • Power Supply and Emergency Power Systems
    UPS (Uninterruptible Power Supply) ensures continuous power supply during outages to protect equipment from data loss or damage. Generators are used to maintain power supply over extended periods when the main power source fails.

The Cloud Infrastructure

The saying "The cloud is just someone else's computer" is indeed correct. Our cloud infrastructure consists of the same components found in large enterprise data centers. These include: firewalls, network switches, load balancers, various servers, and storage systems.

To maintain the highest level of protection possible, we follow several approaches that are explained in the following sections.

Strict Network Segmentation

Network segmentation is a strategy to divide a large network into smaller, isolated parts called segments. Each segment contains a group of computers, servers, and other network resources that have similar security requirements. The segments are separated by firewalls and IDPs (Intrusion Detection and Prevention).

We strictly separate all services from each other to ensure that in case of a successful attack, only individual, isolated parts of our infrastructure would be compromised.

"Assume Breach" Approach

The "Assume Breach" approach is a security strategy that assumes a cyber attack or security breach has already occurred or could happen at any time. Rather than focusing exclusively on preventing attacks, this approach emphasizes improving an organization's response capability and resilience in case of a successful attack.

This approach fundamentally influences all our planning for building and expanding our cloud. We already assume today that it's only a matter of time before we lose individual services or even one of our two data centers to a successful attack. The important thing here is to detect and isolate the attack as quickly as possible to ensure the security of the data stored with us at all times.

High Availability and Redundancy

High availability and redundancy are two crucial concepts in IT infrastructure that aim to minimize downtime and ensure services and systems are continuously available.

High availability refers to a system's ability to remain continuously available without significant interruption, even if a certain part of the system fails.

Redundancy refers to providing additional or duplicate resources or components to ensure a system can continue functioning even if one or more components fail.

All our systems are built with high availability and redundancy to ensure our services are available around the clock.

IDP (Intrusion Detection and Prevention)

IDP refers to a security mechanism designed to protect networks or systems from unauthorized access and attacks and to detect anomalies. It consists of two main components: Intrusion Detection and Intrusion Prevention.

  • Intrusion Detection
    Real-time monitoring of network traffic to detect suspicious activities or anomalies. When traffic matches known threat patterns, an alarm is triggered.
  • Intrusion Prevention
    Automated blocking of attacks through active measures such as blocking network access or isolating systems and network segments.

Monitoring and Logging

Monitoring refers to the continuous surveillance of cloud infrastructure to ensure proper functioning and early detection of potential problems. This includes:

  • Performance Monitoring
    Monitoring resource utilization such as CPU, memory, disk space, network bandwidth.
  • Availability Monitoring
    Checking if services and applications are available and responding properly to requests.
  • Event-based Monitoring
    Monitoring based on events or thresholds set to alert about specific conditions or situations.
  • Security Monitoring
    Monitoring security events and anomalies to identify suspicious activities or security breaches.

Monitoring is an essential component for the secure operation of our cloud and planning future expansion steps.

Logging refers to recording activities, events, and states of systems, applications, and networks. These records, logs, provide a detailed record of what's happening in a system or application. Recording and retaining logs are important for:

  • Diagnosis and Troubleshooting
    Through (automated) review of logs, problems, errors, or unusual events can be identified.
  • Security Analysis and Auditing
    Logs are crucial for identifying security breaches, investigating incidents, and complying with security standards and regulations.

All logs and monitoring data are stored outside our two data centers at physically separate locations. This ensures that in case we lose one of our data centers, we can rely on having current and correct logs and monitoring information to forensically investigate the attack. We do not disclose the locations of our log data.

Penetration Testing

Penetration Testing, also known as Ethical Hacking or security testing, is a proactive approach to evaluating IT infrastructure security. Authorized security experts (ethical hackers) deliberately simulate attacks to uncover vulnerabilities before they can be exploited by malicious actors.

Conclusion

We invest significant time and money in the secure operation of our Backup ONE Swiss Cloud. Nevertheless, we expect to eventually lose part of our infrastructure, whether through a successful cyber attack, unintentional misconfiguration, faulty software updates, or other events. We aim to ensure our cloud services remain available, interruptions are as brief as possible, and our customers' data remains protected at all times.

We're happy to answer questions about our Backup ONE Swiss Cloud, and our security experts can also check your IT infrastructure with a Cyber Check. Simply contact us.

Das könnte Sie interessieren

Weitere Blogbeiträge

Das sind weitere Beiträge, die Sie interessieren könnten.

Zur Blogübersicht