Comment by michaelt
16 days ago
That's why it's important to choose a sysadmin who has the authority to SSH to servers. Joe SSHes in all the time, it's not an anomaly.
If you think a SOC2 auditor would spot something like this, in a company the size of Apple or Google - you've probably never been through a SOC2 audit :)
I wish that I had not been through many SOC 2 audits. But the point was just that in a sufficiently large org that might have cross-continent data centers, it’s not common to have one person who can access remote data and cover their trail and turn off the alarms and all the other things required to do it surreptitiously. Possible? Maybe. Likely? Probably not.
In my experience, every sufficiently large org with data centres on multiple continents has an accretion of legacy systems and special exceptions.
And a heuristic anomaly detection system that generates masses of false alarms, and enough different teams and documents and policies to bury an army of SOC2 auditors. And so many log lines almost anything can get lost in the noise.
The janitors always have keys to everything. Especially when it’s required by law.