We first visited one of Exodus Communications co-location facilities back in April 2000. Back then, we uncovered several potential security concerns. Now were back for a second look.
While the buildings remain anonymous, problems remain. A number of spaces in the parking lot have the words "Exodus Customer" spray-painted on the asphalt. So much for anonymity. Exodus chalks it up to misunderstandings with other tenants in the complex.
Much of the physical security that we could see remains the same here, with one notable exception: the biometric pods. Exodus is installing automated access portals that allows one person to enter at a time. The company hopes this will eliminate "tailgating"—the process by which a second party follows an authorized user into the facility. Note to extremists: The biometric hand geometry scanners at all doors only work on live tissue.
Once youre through the security doors, the areas around each customer cage are all accessible. While Exodus claims that video surveillance covers 100 percent of the floor area, it seems to us that someone with a plastic SuperSquirter could defeat any metal detectors and do some serious damage. Again, our bags were not searched. Nevertheless, while everythings in plain view, we should note that Exodus does offer more secure facilities for those clients willing to pay to be kept out of sight.
Exodus take precautions regarding incoming customer gear, but not as many as it could. Jim Snyder, VP of corporate security, notes that while the company unboxes equipment and requires customers to approve installations, it does not inspect equipment. "Were in the risk-management business," he says, admitting that its all a balancing act—weighing the risks and assembling an appropriate defense against them. Snyder says that Exodus partially mitigates the risk by working with both law enforcement and intelligence agencies.
The company also performs penetration testing on its own facilities, using in-house talent and outside agencies. Exodus employees are subject to a background check, but customers are not. Snyder indicates that there is a customer "screening" process. His Secret Service experience may help insulate Exodus from terrorist threats, but our questions regarding industrial espionage went unanswered.
Finally, all the speculation about physical security may be moot in an age when you can wreak havoc from outside a data center. Were not just talking about the latest DNS (Domain Name System) vulnerability, denial-of-service attacks or the less-than-random way in which TCP/IP generates Initial Sequence Numbers. Lloyd Taylor of Keynote, an Internet monitoring company, asks, "Why bother trying to get in when all you have to do is to drive up, fire a pulse from a HERF [high-energy radio frequency] gun, and drive away?"
If such "spy novel" scenarios are enough to give you nightmares, take a look at what may be the worlds ultimate secure co-location facility: the bunkers of Mount10 (www.cope.de/default_e.htm), which are located in the Swiss Alps. Something to think about when looking for your next infrastructure provider.