back to article AWS CISO needs permission to visit his data centres

Amazon Web Services' General Manager and Chief Information Security Officer Stephen E. Schmidt is not allowed to make unannounced visits to the company's data centres. Speaking at the AWS Summit 2012 in Sydney today, Schmidt explained that he has to ask for permission from the relevant Vice-President before visiting a data …

COMMENTS

This topic is closed for new posts.
  1. Jacqui

    like banks

    companies only put this sort of security theatre in place after something nasty has happened

    I wonder if the cleaners have the same level of security - of like other high-sec places, do they provide limited sets of two factor auth and teh cleaning company pass out access details to the rolling staff.

    bragging about your security is prolly the best way to ensure some journo gets a job as a cleaner and has pics of one or more of your DC's before the week is out.

    1. Anonymous Coward
      Anonymous Coward

      Re: like banks

      Actually, no - this is a policy that actually makes sense, provided that in-centre staff has a matching level of control (your cleaners are indeed a classic example).

      One of the risks of a data centre, btw, is work-in-progress. When a new service is constructed, the data centre should have a staging area. Only when it is stable should the kit be moved into the main area, with data centre staff there to ensure that nothing else can be accessed and time spent there kept to an absolute minimum.

      I walked in and out of the place where almost every bank in London has their backup platforms when I was building stuff, and if I had been so inclined I could have created quite a bit of havoc in the process (one day I experimented and put down another name in the security access logs, no problem whatsoever)..

      Anon, because they *think* they know who I am :)

      1. Anonymous Coward
        Anonymous Coward

        Re: like banks

        I regularly used to show the security at Telehouse (back in 90´s) my assistants badge rather than mine. Given that I`m very tall, blond, blue eyed and male and she was about 4 foot 1, long brown hair, I was always amazed. Daft thing is, she wasn`t always with me, as it became a standing joke to take her ID when I went a visiting.

        One hopes they`ve improved.

    2. Anonymous Coward
      Anonymous Coward

      Re: like banks

      Would you let cleaners into a data centre? I cant see a reason to give the room a quick whip round with a Hoover, and a Mr Sheen.

      Its bad enought getting facilities management types in who do the deliveries/heavy lifiting thanks to H&S rules preventing me lifting anything.

    3. Destroy All Monsters Silver badge
      Facepalm

      Re: like banks

      "companies only put this sort of security theatre in place after something nasty has happened"

      Pretty ridiculous statement. They put this sort of "security theatre" (actually not theatre; this is well-founded policy) in place once competitors may eat their lunch once something nasty happens.

  2. Dave 126 Silver badge

    Surely they have to brag about their security a bit? Like banks, they have to reassure their customers that they have taken some precautionary measures.

  3. Don Jefe
    Meh

    Gives them something

    to spend all their money on. It's all show anyway. If someone wanted to damage one of the facilities they could just set it on fire. They wouldn't break in with a pair of snips and start cutting cables.

    1. Don Jefe
      Meh

      Re: Gives them something

      Why the down votes? It's true. Breaking into a modern data center to make a mess or upload a virus is just dumb. If you're dead set on damaging one good old arson can't be beat, internal fire suppression doesn't help when the whole building is on fire.

      Physical security is very easy to overthink & spend loads of cash on with no real return.

  4. Anonymous Coward
    Anonymous Coward

    "anonymous" buildings ...

    ... are the most interesting kind, as any tech knows. Phone company buildings have a certain "look" to them, even if they are anonymous. Serious data centers need lots of physical space and power (though companies are working on reducing these requirements), making them somewhat obvious.

  5. Jeremy 2

    RIM built a data centre a few miles down the road from me in Georgia a year or two ago. The building is anonymous, bland looking and has no corporate branding or anything of the sort. There's a serious looking guy in a booth at the gate. It's clear that they would rather we mere mortals not know what that building is, although that probably wasn't helped by Google slapping a lovely map marker on top of it (now removed). Whoops.

  6. Anonymous Coward
    Anonymous Coward

    Also data centre employees don't like senior management dropping in for spot checks.

  7. Reading Your E-mail
    Coat

    you said "penetration testers".....<snicker>

  8. Anonymous Coward
    Anonymous Coward

    That's all very well

    But it didn't stop BT getting ram raided for servers...

  9. TaabuTheCat

    Unannounced?

    So he's the CISO and not allowed to drop in unannounced? Then who is, because someone had better to able to just show up without warning to see what security is *really* like.

    1. Martin Lyne

      Re: Unannounced?

      Er.. they would turn up unannounced, the guard would say "you were not announced, go away".

      Tickbox one, check.

      Then they'd rotate an auditor in as a new member of staff and get them to report on the other tick boxes.

  10. fcheung

    Although an unannounced inspection is *exactly* how they stole the vx gas in that classic film, 'The Rock'

  11. PsYcHoTiC_MaDmAn

    AWS now whitelists designated assets being used during penetration tests.

    surely the point of penetration testing is to find any weaknesses - not give shortcuts to test in specific ways

  12. clowne
    Pint

    makes sense

    Basic principal of 'need to know/need to do' in action. I work for a bank, and they are just as strict.

    Why on earth would he need 'permanent' access to the server room. The fewer people wandering around the better.

This topic is closed for new posts.

Other stories you might like