The futile game of secret data center locations
I once covered a data center in the UK, that was well ahead of its time. It was built in a business park on a former US airbase in the East of England. Anticipating today’s vogue for going “off-grid”, it could operate entirely independently of the mains, on methane from a bio-digester fed by local agricultural waste.
The company spokesman told me the location also had an interesting Cold War museum, and was once the site of a famous UFO sighting.
He failed to tell me the name of the site, but I had enough information to get that from Google, and added it in the story, only to get an anguished call from him. “You can’t tell people where it is,” he said. “It has to be kept secret for security reasons.”
“Do you want me to remove the information about the UFO sighting?” I asked, “That adds some interest to the story.”
“Oh no, leave that in, just take out the name, of the business park on a former airbase in Suffolk equipped with a biodigester.”
Fine, I said. Given all that, anyone can find the name of the site and its location on Google Maps. But leaving the name out of the article made the PR and his client happy.
Data centers have always suffered from this bogus secrecy. In the last couple of weeks, Amazon Web Services (AWS) has opened regions in Canada and the UK based in actual data centers in those countries. The AWS publicity makes no mention of where those data centers actually are, and Amazon refuses to tell us.
Amazon insists it can’t say where these data centers are for security reasons. And it’s also true that keeping the exact locations private helps to promote the idea of a dematerialized cloud.
But the whole point of putting facilities in new countries like the UK and Canada is to offer localized data storage and handling within those countries to satisfy customers and meet their privacy and management requirements. Without a street address, can those customers really be sure they are getting what they paid for?
In an interesting discussion on an Amazon community page, customers asked for the street addresses of AWS sites in the US, and were told "Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers..."
One customer argues that as a customer on Amazon’s cloud, he and his partners are effectively “within Amazon”. Another says that SAP is demanding a street address to issue a license for software that will be run in the cloud.
There’s no response from Amazon.
Given the interface between the cloud and the physical works with its rules and requirements, AWS must be sharing this information with partners - because they have an unarguable business need.
And for those outside with a non-business interest (or commercial hackers with a hostile business interest), it should be relatively easy to find out where they are.
There’s an important issue here, and it’s physical attacks. It’s increasingly accepted that data centers could be subject to physical threats, such as electromagnetic pulse weapons, or denial of service attacks on the local grid.
Amazon and other cloud providers may be trying to keep their locations secret in an attempt to prevent these attacks, but it won’t work.
Image by: zdnet.com
We already know that “security through obscurity” is a dud strategy in cyberspace. Why Amazon and the rest think it’s viable in the real world is beyond me.