Several years ago one of us had worked with a customer on a hosting project. The customer had rented floor space at a local "power, pipe, and ping" hosting facility. Some of you might be using such facilities yourselves; if so, let this story give you something to ponder. Most of you have probably seen such facilitieswide and low buildings , with few windows , sometimes lots of fencing and trees and shrubs, often constructed in suburbs. They are actually rather obvious in their attempts to hide.
As an outside consultant, I wasn't simply allowed to appear at the site and declare my intentions to work for the customer. Instead, the customer had to previously notify the security staff of my arrival. On the appointed day, then, as I approached the site, I encountered the first layer of security:
An intimidatingly tall exterior fence with imposing barbed wire
After stopping to identify myself at the intercom box (and politely declining the offer of fries with my request), the gate opened, I parked the car, and walked to the second layer of security:
A less-intimidating second fence, but festooned with razor wire
Here it was necessary to identify myself again, after which the second gate opened. My ability to navigate through the "compound" was somewhat limited by natural growth and other fencing.
Following the short path , I arrived at the third physical security layer:
A guard shack , the point of authentication
Curiously, the guard here wasn't the same as the guard I had spoken with at both previous points (his voice was different). The guard requested some form of photo identification, and as I handed him my driver license (which he only briefly inspected) he placed it into a small plastic box on the counter. Not being one to quickly surrender credentials, I asked, "What are you doing?"
"We are required to maintain possession of your license while you're here," he replied.
"Why?" I asked. "I don't really like that, I don't know what might happen to it. I'd like to have it back, I've satisfied your authentication requirement."
"Can't, it's the policy."
Sigh. "Ok, let me see your badge, please ." This was obviously an unusual request (I could tell by the expression on his face), but after a few speechless moments, he unclipped the badge from his shirt and handed it to me.
"Mutual authentication," I said, with a smile. "I need to make sure I'm really speaking with someone who's an actual employee of the facility." After I satisfied myself with his identity, I put his badge in my pocket.
"What are you doing?" He bellowed, in typical security guard fashion.
"My policy is to maintain possession of the credentials of anyone who must maintain possession of mine. It's the only way I can be certain that I'll be able to get mine back." Obviously this guard had never encountered such a situation before. He stood motionless for a time. And then, in a fascinating display of original thought, he admitted that their policy is "stupid" and handed my driver license back to me along with an access pass to the facility. "I agree," I said, as I returned his badge. He buzzed the door, I walked through, and finally I was in.
Or not. I was at the fourth layer of security:
A very small room with enough space for only one person
This room was reading the RFID tag in my access pass and measuring my weight. Upon exiting, I would be subjected to the same scrutiny; if I weigh more, the presumption is that I'm stealing something and wouldn't be allowed to depart without undergoing an examination of some kind. (I wonder what would happen if I were to weigh less ?) When the measurements were complete, another door opened and, yes, this time, I was finally in. (Interesting note: this system could be defeated if I were to work with an accomplice who weighed exactly the same as I do and we exchanged access passes . Of course, my accomplice's RFID tag would be different and would not match the number associated with my accomplice's driver license. Obviously, then, there is a reason for keeping the driver licenses of visitors , which hadn't been explained to the guard. His lack of understanding created a vulnerability during my visit.)
The room was large, larger than several football fields. It was a geek's vision of heaven: overflowing with hardware of all kinds, softly illuminated by thousands of gently blinking LEDs, accompanied by the whine of hundreds of fans, and not a soul in immediate sight. This place was full: they had equipment for hundreds of customers, with each customer's equipment contained within its own fifth layer of security:
A fenced cage, but not completely enclosed
I finally located my customer, who had arrived before me. They had just started to install Windows on their servers, so I had some time to look around.
Almost immediately, I noticed that the cages were flawed. The fencing didn't even go all the way to the top of the false ceiling, so it wasn't necessary for me to slide tiles out of the way to see whether the fencing went through the ceiling. Similarly, it didn't extend all the way down to the false flooring, so again I didn't have to seek the floor lifter and check underneath. In a facility like this, which is semi-public, you must have complete concrete-to-concrete fencing. After you are in the facility there is very little monitoring of your activity. (Sadly, this facility lacked interior video monitoring.) Because it's easy for someone to move from cage to cage by shimmying under or over the fencing, all the customers of this facility were at serious risk. What if one's competitors were in an adjacent cage? What possible risks might materialize here?
Worse, however, was yet to come. Way off in an otherwise very dark corner I saw a shaft of light. This was curious because I drove completely around the building before I approached the first layer of exterior fencing and didn't remember seeing any windows. As I walked over to investigate, it became clear: the light streamed in through an exterior door that had been propped open with a rusted metal folding chair . Over the threshold was a small set of stairs that led straight down to the highwayaided, of course, by a break in the fencing!
Wow: several million dollars of impressive upfront physical security circumvented by a guard taking a break. This illustrates a problem your authors don't know how to solve: despite all your efforts at building secure facilities and secure networks, the people with the must unfettered physical access are often the lowest -paid people on your payrollor, maddeningly, are outsourced someplace else. In our opinion, this is a major shortcoming that will take some serious and innovative thought to overcome . It is, alas, outside our expertise; your authors are information technologists and policy wonks, not organizational and economic experts. We welcome any suggestions you might have.