I once covered a data center in the UK, that was well ahead of its time. It was built in a business park on a former US airbase in the East of England. Anticipating today’s vogue for going “off-grid”, it could operate entirely independently of the mains, on methane from a bio-digester fed by local agricultural waste.
The company spokesman told me the location also had an interesting Cold War museum, and when it was still an active military base, was the location of a famous UFO sighting.
He failed to tell me the name of the site, but I had enough information to get that from Google, and added it to the story, only to get an anguished call from him. “You can’t tell people where it is,” he said. “It has to be kept secret for security reasons.”
“Do you want me to remove the information about the UFO sighting?” I asked, “That adds some interest to the story.”
“Oh no, leave that in, just take out the name of the business park on a former airbase in Suffolk, equipped with a bio-digester.”
Fine, I said. Given all that, anyone can find the name of the site and its location on Google Maps. But leaving the name out of the article made the PR and his client happy.
Data centers have always suffered from this bogus secrecy. In the last couple of weeks, Amazon Web Services (AWS) has opened Regions in Canada and the UK based in actual data centers in those countries. The AWS publicity makes no mention of where those data centers actually are, and Amazon refuses to tell us.
Amazon plays it dumb
Amazon insists it can’t say where these data centers are for security reasons. I think it’s also marketing: keeping the exact locations private helps to promote the idea of a dematerialized cloud.
Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers…
But the whole point of putting facilities in new couintries like the UK and Canada is to offer localized data storage and handling within those countries to satisfy customers and meet their privacy and management requirements. Without a street address, can those customers really be sure they are getting what they paid for?
In an interesting discusion on an Amazon community page, customers asked for the street addresses of AWS sites in the US, and were told “Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers…”
One customer argues that as a customer on Amazon’s cloud, he and his partners are effectively “within Amazon”. Another says that his software provider, SAP, is demanding a street address where the software will run, so it can issue a license for software that will be run in the cloud.
There’s no response from Amazon.
The locations must be known
Given the interface between the cloud and the physical workd with its rules and requirements, AWS must be sharing this information with partners. They have an unarguable business need.
And for those outside with a non-business interest (or commercial hackers with a hostile business interest), it should be relatively easy to find out where they are.
The important issue here is physical attacks. It’s increasingly accepted that data centers could be subject to physical threats, such as electromagnetic pulse weapons, or denial of service attacks on the local grid. Amazon and the others believe - or at least, they tell their customers - that they are helping to keep their data centers secure by not giving their address.
This is of course entirely bogus. We already know that “security through obscurity” is a dud strategy in cyberspace. Why Amazon and the rest think it’s viable in the real world is beyond me.
A version of this story appeared on Green Data Center News