Symantec’s Melbourne Security Data Centre generates root keys for certificate authorities, a task that can’t be undertaken lightly given their vital role in online security. Here’s a photo tour of the rarely-seen and highly-secured centre, including the “Ceremony Room” used to generate the new keys.
Outsiders are rarely admitted to the centre, and no unauthorised photography is allowed. These pictures were supplied by Symantec following a tour of the location by technology journalists last week.
Signing in is an elaborate process; even getting to this stage requires you to pass through the first of several double-trapped doors (you can’t pass through one door while the other is open, and an alarm sounds if a door is open for too long). The window of the reception area is made from bullet-resistant glass.
Cameras throughout the centre track everything. For a certificate ceremony, the entire process is recorded — even though some ceremonies can take up to two weeks to complete. (The script for a recent ceremony ran to 623 pages.)
Tracking the time in other active Symantec security locations throughout the world. There’s a customer service centre at the site.
Badges and fingerprints must be swiped quickly to avoid setting off an alarm.
To meet security and safety requirements, all cabling has to be entirely separate. Cable lengths are monitored to ensure rogue access can’t be patched in.
No-one is allowed to take any phones or cameras into the ceremony room. This pigeonholes don’t have locks, but it’s not like strangers can randomly wander past.
All of the centre requires a swipe card and a fingerprint to access individual areas, but the room where the keys required to run a ceremony are stored requires two separate authorised people to sign in to access, hence the “No Lone Zone”.
The keys are stored in a pin-protected “container” (weirdly, it’s not allowed to be referred to as a “safe” in official documentation).
Anyone who knows the combination for the container is not allowed to also have authorisation to open the room where it is stored. That means a minimum of three people need to be admitted.
The keys are stored in multiple separately secured boxes within the container.
The keys are used in the Ceremony Room, where all activities are recorded and logged.
The ceremony room itself is deliberately non-descript. The computers have no connection to the internet or any other external networks.
The key generation process is complex, time consuming and entirely scripted. If a lunch break is needed or a ceremony takes more than a day, everything has to be locked up again.
The odds of your being able to access the contents of that box are vanishingly low.
Disclosure: Angus Kidman travelled to Melbourne as a guest of Symantec.