AWS CISO needs permission to visit his data centres
He doesn't mind and you shouldn't either because they're not that interesting
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Amazon Web Services' General Manager and Chief Information Security Officer Stephen E. Schmidt is not allowed to make unannounced visits to the company's data centres.
Speaking at the AWS Summit 2012 in Sydney today, Schmidt explained that he has to ask for permission from the relevant Vice-President before visiting a data centre, as part of the company's security regime.
That regime means customers are also verboten from visits, a stance Schmidt says the company prefers because “tours are not instructive.” There are only so many ways to set up and secure a data centre, Schmidt says. Those methods are well-documented, AWS is aware of them, has deployed those it deems sensible and feels customers cannot learn anything useful from a visit.
Schmidt also said most AWS employees are kept ignorant of its data centres' locations. Addresses for the facilities are not listed on the company's intranet, a security-through-obscurity strategy Schmidt said “helps with protection.” Another obscurity strategy sees the company deliberately construct nondescript buildings.
Employees who can visit the facilities have that privilege revoked and formally re-instated every ninety days and must use “two or more levels of two factor authentication” to enter the building.
AWS also, Schmidt said, reviews log files proactively and a little obsessively.
“We review the logs to ensure we see what we expect, and to check for things we do not expect,” he said. The security team also checks to make sure logs are present, as absent logs or missing entries are eloquent descriptors of security incidents.
Schmidt also said the company has developed a special process to help penetration testers take advantage of its cloud. In the past such tests would likely have been flagged as a denial of service attack, but demand for such services means AWS now whitelists designated assets being used during penetration tests. ®
COMMENTS
like banks
companies only put this sort of security theatre in place after something nasty has happened
I wonder if the cleaners have the same level of security - of like other high-sec places, do they provide limited sets of two factor auth and teh cleaning company pass out access details to the rolling staff.
bragging about your security is prolly the best way to ensure some journo gets a job as a cleaner and has pics of one or more of your DC's before the week is out.
"anonymous" buildings ...
... are the most interesting kind, as any tech knows. Phone company buildings have a certain "look" to them, even if they are anonymous. Serious data centers need lots of physical space and power (though companies are working on reducing these requirements), making them somewhat obvious.
Surely they have to brag about their security a bit? Like banks, they have to reassure their customers that they have taken some precautionary measures.
IT infrastructure monitoring strategies
What you need to know about cloud backup
Enabling efficient data center monitoring
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
