These systems are designed to resist individual operators subverting controls—competently built cloud infrastructure doesn’t allow subversion of access controls to production systems even with physical access to data halls. I’ll speak to AWS’s controls in particular as an example, but I want to emphasize that this is a metonym for any competently run CSP.
AWS’s Nitro System is specifically architected with “zero operator access”—there is no mechanism for any AWS personnel, including those with the highest privileges, to access customer data. These are designed and tested technical restrictions built into the hardware itself, not policy controls that can be overridden. The system uses tamper-resistant TPMs with hardware roots of trust, and there is no equivalent of a “root” user or administrative bypass—even for maintenance.
This has been independently validated by NCC Group, who found “no gaps in the Nitro System that would compromise these security claims” and “no indication that a cloud service provider employee can obtain such access...to any host.” You may also enjoy as a bonus a quick read through the Mantle whitepaper.
The assumption that datacenter executives could “just walk up to” machines and exfiltrate data conflates physical proximity with system access. Physical access to a server room doesn’t necessarily grant access to customer data.
You can’t just walk up, but there is an extremely long history of easily available exploits given unlimited hardware access to systems, and the database center hardware stack is not up to the task (yet). Indeed, Anthropic themselves published a whitepaper outlining what would be necessary for datacenters to actually promise security even with physical hardware violations, which IMO clearly implies they do not think current data-centers meet that requirement!
Like, this is not an impossible problem to solve, but based on having engaged with the literature here a good amount, and having talked to a bunch of people with experience in the space, my strong sense is that if you gave me unlimited hardware access to the median rack that has Anthropic model weights on it while it is processing them, it would only require a mildly sophisticated cybersecurity team to access the weights unencrypted.
These systems are designed to resist individual operators subverting controls—competently built cloud infrastructure doesn’t allow subversion of access controls to production systems even with physical access to data halls. I’ll speak to AWS’s controls in particular as an example, but I want to emphasize that this is a metonym for any competently run CSP.
AWS’s Nitro System is specifically architected with “zero operator access”—there is no mechanism for any AWS personnel, including those with the highest privileges, to access customer data. These are designed and tested technical restrictions built into the hardware itself, not policy controls that can be overridden. The system uses tamper-resistant TPMs with hardware roots of trust, and there is no equivalent of a “root” user or administrative bypass—even for maintenance. This has been independently validated by NCC Group, who found “no gaps in the Nitro System that would compromise these security claims” and “no indication that a cloud service provider employee can obtain such access...to any host.” You may also enjoy as a bonus a quick read through the Mantle whitepaper.
The assumption that datacenter executives could “just walk up to” machines and exfiltrate data conflates physical proximity with system access. Physical access to a server room doesn’t necessarily grant access to customer data.
You can’t just walk up, but there is an extremely long history of easily available exploits given unlimited hardware access to systems, and the database center hardware stack is not up to the task (yet). Indeed, Anthropic themselves published a whitepaper outlining what would be necessary for datacenters to actually promise security even with physical hardware violations, which IMO clearly implies they do not think current data-centers meet that requirement!
Like, this is not an impossible problem to solve, but based on having engaged with the literature here a good amount, and having talked to a bunch of people with experience in the space, my strong sense is that if you gave me unlimited hardware access to the median rack that has Anthropic model weights on it while it is processing them, it would only require a mildly sophisticated cybersecurity team to access the weights unencrypted.