Comment by bilekas
16 days ago
> By the way, this is similar to why for true GDPR compliance, data centers should be operated by EU companies that aren't subsidiaries of US companies, because even if the latter operate data centers located in the EU, they would still be bound to secret orders by the US government.
This is interesting, I know GDPR does not mandate data localization but I was under the impression that the requirements are a bit more difficult/stringent for transferring data out of the EU region ? While not perfect, it's a bit less 'open door' than it would be if it was hosted in the US.
The EU has a law saying "don't transfer data out of the EU without the right paperwork, but of course if your American sysadmins have SSH access to servers in the EU to do maintenance that's no problem, just tell them not to copy the data off it"
The US has a law saying "If our spies tell American sysadmins to SSH into a server in the EU and copy data off it, they must do it and they must keep it secret"
I’ve never worked in a company with data the gov’t cared about that wouldn’t have sirens going off. Why is Joe SSHing into the EU data center? And now why’s he trying to turn off the GuardDuty rule that caught him? And why is he trying to delete that from CloudTrail? And why is the SOC 2 auditor asking why he has access to delete things from CloudTrail in the first place?”
You’d have to get a surprising number of people to go along with it.
That's why it's important to choose a sysadmin who has the authority to SSH to servers. Joe SSHes in all the time, it's not an anomaly.
If you think a SOC2 auditor would spot something like this, in a company the size of Apple or Google - you've probably never been through a SOC2 audit :)
2 replies →