You've tossed out a few red herrings and a couple of valid points. I'll try to address them in order.
this tells me that there is somebody that holds access above the other users, basically missing the point here.
No, I haven't missed the point at all. The point is to distribute the responsibility with sufficient checks in order to ensure that misbehavior will be caught and dealt with in a timely fashion. Is it possible someone could scheme up a way to slide abuses past the admins? Of course it is. But between good backups, fascistic logging, role-based access control, and routine audits by the change control committee, the risk is minimized.
There's no one person who holds the "keys to the kingdom". No critical data is stored on the machines themselves; it's all stored on centralized storage. The folks who admin the automated root password changes don't have any access to storage; the storage folks typically don't have any access to the systems.
Again, that means that there's somebody administering the logging system. and I almost assure you that even if their logins are listed somewhere: they have full access to remove those entries and make it look like it never happened.
Incorrect. I didn't cover this in my original post, but logs are (and should be) stored on write-once media. You can designate volumes on modern storage media so that, once written, it can never be altered without destroying the entire volume. We use this extensively.
say I have a machine that stores credit card numbers on a DSS approved network that's locked down in the ways you describe above. at the admin level, it would take me minutes to provision a machine to replicate the target. I don't mean replicate as in contents, I mean replicate to the network view.
Once again, distributed access can prevent this. The network team and the sysadm team aren't the same teams. Every port on your switch is disabled until it's enabled by the network team. Even once enabled, that port must be on the same VLAN as the hypothetical credit-card storage system.
That's once again where fascistic logging and automated reporting come into play. If a port is disconnected, unless a host has been blacked out with an appropriate change control ticket filed, the port disconnection generates an immediate Priority 1 service request to investigate.
If a drive is removed from centralized storage, that also generates an immediate P1 ticket. The sysadm's access would have been logged the moment he swiped his badge, and cameras throughout the data center capture the switch-over.
A corrupt admin can do a lot of damage, I admit. There's no getting around it. But with sufficient logging -- and yes, I include physical surveillance as "logging" too -- they're not going to get away with it.
the replicated machine can be tunneled into place and act as if it was the machine in question.
Now this is the red herring. If you've ever done ANYTHING major with credit cards in a data center, you are aware that you're subject to yearly audits of your infrastructure by Payment Services. They do a deep-dive of your systems to enforce a huge number of requirements. I can't go into it here. It literally fills a large book, and they go over it line-by-line with all the admins involved, every single year. I've been through several of these, and each year it gets broadened to cover more potential issues.
Chief among these requirements? A separate admin/management network from the front-end/back-end network. You can't "tunnel in" to that network and make it "act like" another system. The network is an unroutable private VLAN or fibre-channel connection.
at this point, I can reverse firewall the unit preventing it for calling for help or reporting the changes I make. I can snapshot the drive and move it offsite
Yet another red herring. Databases must be encrypted in order to pass payment services audits. As do the backups. Maybe you could grab the encryption key, but then you have to pull a whole shelf off of an EMC or Netapp storage unit, with intimate knowledge of the storage layout. Once again, separation of responsibilities protects you here.
And if you tried to walk out of our Tier 4 data center with a spare hard drive or three in your bag, you'd get locked up. I can't go into all of the specific precautions, but some are common knowledge: metal detectors, mass-change mantraps, retinal scanners, and non-random (read: everybody gets one) bag searches.
Until CPU's are made to understand the "two key" approach to authentication, any machine will be susceptible to weak physical security.
Agreed. That's why any Payment Services machines have strict physical security requirements, and your hypothetical credit-card-data situation is a red herring. A system that would allow an admin to VPN in and "tunnel" a virtual machine as part of the payment services cluster would never pass an audit.
On the other hand, every year they revise the handbook for the audits because of the new exploits performed in the past year. So you're always playing catch-up with the crooks. I don't know a way to reverse that role. If you figure it out how to always stay one step ahead of the bad guys, would you please tell the TSA so they don't touch my junk next time I fly?