Tag Archives: cloud security

DC 5 levels below ground

Five Floors Underground: The Wake-Up Call for Cloud Resilience

Leave a reply

 

A few years ago, I was auditing one of the largest financial institutions in the Middle East for their cyber resiliency. During the walkthrough, I discovered their primary data center was five floors underground. Five!

Naturally curious, I asked their CISO if there was any specific reason for going this deep? Although this was a legacy he had inherited, his answer was simple:

“Regional constraints.”

I didn’t fully get it then. I do now.

Last week, Iranian drone strikes took out AWS data centers in UAE and Bahrain. Banking apps went dark. Payment systems froze. Enterprise software across the region just… stopped.

The cloud, it turns out, has a very physical address. And that address can be hit.

That CISO and his predecessors weren’t being paranoid. They were being realistic. They understood something that a lot of us in infosec and cloud governance are only now waking up to, that in certain parts of the world, your DR strategy isn’t just about ransomware and config drift. It’s about missiles and drones also.

This changes the conversation around cloud concentration risk entirely. When we evaluate third-party cloud providers, how many of us are factoring in geopolitical threat vectors against the physical infrastructure? How many risk registers account for kinetic attacks on a hyperscaler’s availability zone? Also, the lack of transparency by the cloud computing companies on their Multi-Availability zones distance isn’t helping the cause.

The Gulf has cheap energy, massive funding, and ambitious AI plans. But the same geography that makes it attractive also makes it a target. The $2 trillion in tech investment commitments from last year look a lot different today.

A while ago this news about Iran targeting the financial institutions in Israel and surrounding regions, the DC being in a secure physical location makes even more sense:  https://www.reuters.com/world/middle-east/iran-will-target-us-israeli-economic-banking-interests-region-state-media-2026-03-11/

For those of us in GRC and infosec this is a wake-up call. Cyber Resilience isn’t just a checkbox on a compliance framework. Sometimes it means putting your data center five floors underground and not explaining why to auditors who ask too many questions.

That CISO’s predecessors knew the assignment.

#cyberresilience #DC #DR #BCP #Geopolitics #physicalsecurity