Electronic audit trail makes SOC2 report easier for auditors. You can use paper trail instead, but electronics makes it easier. Few things in the world are required, but some of these compliance things are 'viral' in that if you're a vendor to a guy who needs compliance you need to practice the standards as well.

Besides, visibility is sufficient as a deterrent. Back in India, there'd be a big difference between leaving an old man in a chair in front of the shop and having exactly zero people in front of the shop. There are classes of people you deter with the former who will not be deterred by the latter. The old man is not 'security' - anyone motivated can shut him up without much effort. And yet his presence works.

Whenever I see this in practice I always think a determined killer would clearly know not to attack the “secure” building. Rather, attack the densely-packed line of people waiting to swipe their badges.

Unnervingly, this usually occurs to me when I’m waiting patiently in the densely packed line of fellow targets.

Those turnstiles were inefficient (slowed legitimate users down), but not security theater (they really blocked unauthorized access.)

Many years ago I was doing due diligence on a point of sale hardware company, I had to head up to an acquisition they had done. People bitched and moaned about the level of physical security added, and when I asked them why they were so upset, they told me to go to the loading dock in the back.

The loading dock was kept completely open "because it's hot and we don't have A/C back here!".

Turnstiles have a genuine security benefit compared to door and elevator security: convincing people not to let their coworkers in the door or up the elevator is difficult because the actual request (“close the door behind you, this blocking the friendly person trying to go through, so their scan their card”) is genuinely obnoxious. But a turnstile really does fundamentally let one person through, even if it’s easy to bypass.

Could have been worse. Anybody remember that story where the keycard readers would randomly work and eventually it was discovered the log file had grown huge and was being appended by reading the whole thing into memory over the network, appending the line, and writing the whole thing back out again, thus creating what the random pattern because I guess it would sometimes time out?

Funny. We had a security guard that had memorized all the faces of the employees. If he knew you he'd buzz you through. If he didn't know you you'd have to be vouched for by someone that he did know or by showing your credentials. By day #3 he'd know you, and he also somehow knew when you were no longer with the company.

There never was a line and there were 1400 people in those buildings.

I never realized how incredibly that guy's contribution was but this story made it perfectly clear.

Also, I don't actually buy the story as related here. It would seem to me that within minutes of that queue building up the turnstiles + card system would be disabled because something clearly was not working.

I'm not really sure what the point of this article is. Yes, obviously, you need to implement systems that are secure and performant so that you don't get a backed-up line of people waiting an hour just to get into the office in the morning. But that's a notably flawed rollout; millions of employees go into badge-in-required offices every day without issue. And it's kind of hard to imagine running a large office while lacking such basic physical security as "keep unauthorized people out of the building". Having electronic badges and readers is table stakes.

Lift (elevator) sidenote: there are fancy well designed ones where the turnstile communicates what floor you need to go to to the lift, and a "destination dispatch" system assigns/batches groups of passengers with similar/same destinations to the same lift car to improve efficiency.

I feel the same way. Once I worked with junior developer, who was really eager to develop stuff. He was tasked to create a development environment, where we can tests features. Nothing fancy, just some scripts and simple containers.

He used copies of the production database, but forgot to set the admin password. The machine in ec2, public on the internet.

It was fixed few weeks later. But the connection still doesn’t use SSL, sends passwords plain text.

Yeah, he doesn’t really like criticism about his work…

I always think about the phrase:

“Security is our highest priority”

Sure.