[lug] Suggested Colo's in Boulder, managed hosting?
Evelyn Mitchell
efm at tummy.com
Mon Mar 3 20:01:48 MST 2003
* On 2003-03-04 02:33 Bear Giles <bgiles at coyotesong.com> wrote:
> Zan Lynx wrote:
> >On Mon, 2003-03-03 at 17:00, Bear Giles wrote:
> >
> >>Besides that issue, some servers contain sensitive information
> >>that simply can't be trusted to third-parties. The crypto keys on
> >>my CA project, for instance.
> >
> >One reboot, a rescue disk and a kernel module later, and you don't own
> >your system anymore.
>
> You need to take a break from reading Slashdot. :-) Rackmount
> hardware is not the same thing as desktop PCs, and even the
> cheapest colocation facility has the racks under 24/7 video
> survelliance.
Even with rackmount hardware, physical access can override most security.
I realize that it is possible to spec a rackmount box without any removable
media. But, if you have access to the box, you can pull it from the rack,
and take the hard drive.
Is anyone watching the video stream? If a tech was working at the rack next
to yours, fully authorized, and tampered with your box when the colo space
tech was in the bathroom, would anyone know?
You have to trust someone, sometime. You also have to take reasonable
precautions.
It's not uncommon to have throwaway keys stored encrypted on a box. Then
you can hand out parts of the the wrapper key to your 'business
interruption key escrow' team, who can unlock the wrapper if they share
the parts of the pass phrase they have.
It is very unusual to store 'The SUPER Key' on a device which isn't
near your physical supervision, or in a very secure place.
Just my $0.02 worth.
--
Regards, tummy.com, ltd
Evelyn Mitchell Linux Consulting since 1995
efm at tummy.com Senior System and Network Administrators
http://www.tummy.com/
More information about the LUG
mailing list