Amazon Web Services' General Manager and Chief Information Security Officer Stephen E. Schmidt is not allowed to make unannounced visits to the company's data centres. Speaking at the AWS Summit 2012 in Sydney today, Schmidt explained that he has to ask for permission from the relevant Vice-President before visiting a data …
companies only put this sort of security theatre in place after something nasty has happened
I wonder if the cleaners have the same level of security - of like other high-sec places, do they provide limited sets of two factor auth and teh cleaning company pass out access details to the rolling staff.
bragging about your security is prolly the best way to ensure some journo gets a job as a cleaner and has pics of one or more of your DC's before the week is out.
Re: like banks
Actually, no - this is a policy that actually makes sense, provided that in-centre staff has a matching level of control (your cleaners are indeed a classic example).
One of the risks of a data centre, btw, is work-in-progress. When a new service is constructed, the data centre should have a staging area. Only when it is stable should the kit be moved into the main area, with data centre staff there to ensure that nothing else can be accessed and time spent there kept to an absolute minimum.
I walked in and out of the place where almost every bank in London has their backup platforms when I was building stuff, and if I had been so inclined I could have created quite a bit of havoc in the process (one day I experimented and put down another name in the security access logs, no problem whatsoever)..
Anon, because they *think* they know who I am :)
Re: like banks
Would you let cleaners into a data centre? I cant see a reason to give the room a quick whip round with a Hoover, and a Mr Sheen.
Its bad enought getting facilities management types in who do the deliveries/heavy lifiting thanks to H&S rules preventing me lifting anything.
Re: like banks
"companies only put this sort of security theatre in place after something nasty has happened"
Pretty ridiculous statement. They put this sort of "security theatre" (actually not theatre; this is well-founded policy) in place once competitors may eat their lunch once something nasty happens.
Re: like banks
I regularly used to show the security at Telehouse (back in 90´s) my assistants badge rather than mine. Given that I`m very tall, blond, blue eyed and male and she was about 4 foot 1, long brown hair, I was always amazed. Daft thing is, she wasn`t always with me, as it became a standing joke to take her ID when I went a visiting.
One hopes they`ve improved.
Surely they have to brag about their security a bit? Like banks, they have to reassure their customers that they have taken some precautionary measures.
Gives them something
to spend all their money on. It's all show anyway. If someone wanted to damage one of the facilities they could just set it on fire. They wouldn't break in with a pair of snips and start cutting cables.
Re: Gives them something
Why the down votes? It's true. Breaking into a modern data center to make a mess or upload a virus is just dumb. If you're dead set on damaging one good old arson can't be beat, internal fire suppression doesn't help when the whole building is on fire.
Physical security is very easy to overthink & spend loads of cash on with no real return.
"anonymous" buildings ...
... are the most interesting kind, as any tech knows. Phone company buildings have a certain "look" to them, even if they are anonymous. Serious data centers need lots of physical space and power (though companies are working on reducing these requirements), making them somewhat obvious.
RIM built a data centre a few miles down the road from me in Georgia a year or two ago. The building is anonymous, bland looking and has no corporate branding or anything of the sort. There's a serious looking guy in a booth at the gate. It's clear that they would rather we mere mortals not know what that building is, although that probably wasn't helped by Google slapping a lovely map marker on top of it (now removed). Whoops.
Also data centre employees don't like senior management dropping in for spot checks.
you said "penetration testers".....<snicker>
That's all very well
But it didn't stop BT getting ram raided for servers...
So he's the CISO and not allowed to drop in unannounced? Then who is, because someone had better to able to just show up without warning to see what security is *really* like.
Er.. they would turn up unannounced, the guard would say "you were not announced, go away".
Tickbox one, check.
Then they'd rotate an auditor in as a new member of staff and get them to report on the other tick boxes.
Although an unannounced inspection is *exactly* how they stole the vx gas in that classic film, 'The Rock'
AWS now whitelists designated assets being used during penetration tests.
surely the point of penetration testing is to find any weaknesses - not give shortcuts to test in specific ways
Basic principal of 'need to know/need to do' in action. I work for a bank, and they are just as strict.
Why on earth would he need 'permanent' access to the server room. The fewer people wandering around the better.