Secure cloud doesn’t always mean your stuff in it is secure too “Picking a secure cloud partner is not as trivial as it may seem. Don't assume that because the cloud is secure, your business within the cloud is secure,” Unisys’ chief trust officer Tom Patterson said today. Alongside Patterson and giving a joint keynote speech about lowering costs and risks in the cloud this morning was AWS …
LOL. Another "someone else's computer" Luddite. Can you point to any breaches that were the result of one of the major 3 cloud providers? I can just about guaranteed that the major cloud players would be more secure than anything most enterprises cobble together *in the areas they are responsible for*. Of course, if you decide to deploy insecure shit within their bitbarns or decide not to properly use the security features they provide you are still at risk - but the same applies to on-prem.
Generally it is far easier to deploy insecure shit in a IaaS public cloud especially amazon when the defaults are to give every VM a public IP address, and their security groups stuff isn't the most intuitive in the world if you are getting beyond even a very basic level of usage(maybe it's better in past 5 years been that long since I had to use it).
We've seen many articles about how things like unsecured S3 or mongo databases in amazon have been raided for data in recent years.
vs on prem where it is far more likely most services are deployed behind a firewall with VPN, if for no other reason than limitations in public IPv4 availability.
say what AC ?
If it helps as recently as last year I know a guy who has a highly technical background and was playing with elastic search in amazon cloud, he got hacked multiple times(elastic search bugs or something).
Which goes back to my original point of everything being on a public IPv4 address by default is generally a bad thing.
I do not believe the security group situation has changed. Don't know about azure or google cloud or other public clouds but amazon was absolutely terrible in pretty much every respect(and yeah I met the head of amazon cloud years ago along with his chief scientist where they tried to justify the issues would be fixed in the future, they never were).
Can you point to any breaches that were the result of one of the major 3 cloud providers? I can just about guaranteed that the major cloud players would be more secure than anything most enterprises cobble together *in the areas they are responsible for*.
I wouldn't be so sure. They have no formal obligation to you to produce audit results, and you have no idea who they use to secure the platform so at this point all you have is hope. The key to cloud profit is a combination of volume and cutting corners - you won't know they've cut too much until it's too late, but guess who gets saddled with the liability of those breaches? Yes, you.
I know one of the Amazon people because I more or less dragged his backside into the security world when he was still talking systems and I know he's very good at what he does, but I also know the game of numbers that plays in the background. God help you once accountants decide they can wring a few more pennies, sorry, cents on the dollar out of it. I've seen it before in both small and large setups, and it's always the customer who pulls the short straw (and notices last). The calculation is simple: even in the unlikely event you get proper compensation, they will have made more in profit.
Keep in mind they're large enough to suffer corporate stupidity. In that respect I prefer a smaller outfit, at least I have some grip on them and I can screen them if required. The big ones just buy a positive audit.
This article concerns security and the informed industry spokesperson clearly says that "they" are still working on it.
I suppose for a generally knowledged type of IT consumer, this kind of "nothing is better" statement is enough. So we have the situation now where most CEO's of top 500 companies in UK would automatically believe this shit and then start telling the IT department to enter the mist and cloud over.
Clouds are vague, insubstantial and are constantly changing form. There are lots of them and watching them is very nice for a while, but I wouldn't go as far as to be able to identify the dodgy ones. Not until it looks like rain anyway.
Alf
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
