Skip to content

Security posture for Lambda Private Cloud#

Introduction#

This document outlines the physical and logical security posture of Lambda Private Cloud (Private Cloud).

Diagram of Private Cloud infrastructure

Hardware#

Private Cloud provides a single-tenant cluster that is physically isolated from other customers and Lambda's internal infrastructure. Although Lambda provisions and maintains the hardware, it is dedicated exclusively to that cluster.

Compute (GPU) nodes#

Compute nodes are dedicated, single-tenant bare-metal systems primarily designed for GPU workloads. These nodes are connected to the tenant's Ethernet network and InfiniBand fabric.

Management (head) nodes#

Management nodes are dedicated, single-tenant, bare-metal systems designed to function as control plane nodes or CPU-only compute nodes. They are connected to the tenant's Ethernet network only.

Persistent storage cluster#

Persistent storage is provisioned as a dedicated storage cluster alongside the physical cluster. It is connected to the tenant's Ethernet network only.

Networking#

In-band Ethernet#

The in-band Ethernet fabric connects all compute and management nodes, as well as the storage cluster. Primary storage access from compute and management nodes is routed over this network.

All networking is single-tenant and physically separated from any other Lambda customer hardware.

Internet connectivity is provided through a pair of redundant dedicated internet access (DIA) links, routed through a dedicated firewall appliance managed by the customer. Optionally, north/south traffic (traffic entering or leaving the cluster) may be routed through customer-specified links.

InfiniBand#

The cluster InfiniBand fabric is isolated on dedicated hardware, including InfiniBand switches arranged in a spine-leaf topology.

All compute nodes are on the InfiniBand fabric and have unrestricted access to each other via the fabric.

Out-of-band Ethernet#

The out-of-band (management) Ethernet network includes a separate 1 Gbps DIA link and an LTE cellular device. These are used to access console servers and the management network in the event of a total network outage. These links are only used when absolutely necessary. If access is required, the customer is notified. No general routing in or out is permitted over these links.

The management Ethernet fabric is connected to all BMC ports on the compute nodes, management nodes, storage appliances, DPUs, switches, and any smart PDUs.

System configuration#

BIOS, BMC, and firmware#

All compute and management nodes are configured with the latest validated BIOS and BMC firmware. All nodes have secure BIOS and BMC passwords set.

Lambda will provide guidance regarding firmware for other tenant hardware, including switches, firewalls, storage, and PDUs. Lambda will not take any action regarding this equipment without coordination with a customer.

Operating system (OS)#

All compute and management nodes are provisioned with a vanilla Ubuntu LTS (Long-Term Support) release. The customer is responsible for OS-level security and patch management, as well as monitoring logs and metrics.

The customer receives administrator (root) privileges to the cluster.

SSH access is initially restricted to the key provided by the customer. Additional keys can be added if desired.

Data encryption, retention, and destruction#

Data saved to both node-local storage and the storage cluster is encrypted at rest. If a drive is physically removed, its data is irrecoverable without the corresponding encryption key.

At the customer's request (specified in the contract), Lambda can maintain a "Keep Your Device" maintenance agreement. This ensures that any failed or decommissioned storage media remains within the controlled data center environment and is not returned to the storage vendor.

Lambda can also coordinate the destruction of physical media through a qualified disposal vendor, providing an audit trail and certification of destruction. Additional services—such as video recordings of the destruction process or vendor certification records—may be available upon request.

Logical access (optional)#

At the customer's discretion, Lambda's operations and support engineers may retain logical access to the cluster to provide support, using individually issued accounts.

Lambda will not make any changes to customer infrastructure without prior authorization.

All logical access by Lambda personnel is logged in accordance with Lambda's internal customer cluster access policy (a copy is available under contract). Customer data will never be accessed without written permission. Lambda will request access to customer data only when it is absolutely necessary to resolve an ongoing issue.

Physical access#

Physical access to the infrastructure is limited to Lambda employees and data center providers with a specific need for access. In the event of emergencies or planned maintenance, Lambda documents all access and reviews it to ensure compliance with these protocols.

Lambda Private Cloud infrastructure is housed in secure facilities featuring:

  • Perimeter and internal CCTV surveillance, with a minimum 90-day retention
  • Multiple security checkpoints:
    • Main lobby access is restricted by a security door with a biometric reader, badge reader, and/or security personnel
    • Multi-factor authentication (PIN/badge + biometric) is required for entry into the data hall

Authorized Lambda employees may access data centers for maintenance, upgrades, or other hardware-related work. Local authorities or authorized data center providers may access the hall space as required by local codes.