back to article Cloud computing's no PICNIC*: Yep, biggest security risks down to customer, not provider

Industry nonprofit the Cloud Security Alliance has published a report on the top threats to cloud computing, concluding that the biggest issues are caused by customers, not by the cloud "solution" providers (CSPs). In the early days of cloud computing, security concerns were centred on the risks of multi-tenancy (sharing …

  1. amanfromMars 1 Silver badge

    Problem In Chair Not In Computer, says report

    No shit, Sherlock. That gives a store of about 7.73 billion* bugs to investigate for any tendency to be problematical and/or uniquely creative and almighty capable. Good luck with the continuous monitoring of that.

    And from where do the Cloud Security Alliance imagine Solutions to reports of Problems in Chair Not In Computers will be coming from? Do they offer anything at all that can be followed in that Lead Situation?


    1. fwthinks

      Re: Problem In Chair Not In Computer, says report

      Essentially you (and they) are correct - the problem is with the people using the cloud service. However I would split the issue into two conflicting issues as I have sympathy for the IT people trying to secure their cloud environments

      1. Management see cloud as a cheap and simple solution to reduce staff and therefore costs - i.e. we don't need a central team, we can just let the devs create and maintain their own infrastructure.

      2. The cloud providers are engaging in a technology war to extend functionality and complexity. It takes a lot of time and effort to keep up to date with the changes and new features.

      If you are trying to maintain an infrastructure platform which is constantly changing and evolving under you, then unless your company pumps money into keeping staff trained, and that platform maintained and secure, something has got to give.

  2. jake Silver badge

    So let me get this straight ...

    ... you're saying that adding more layers to corporate security increases the size of the attack surface, and adds new attack vectors, thus making it inherently less secure with no real way of mitigating the new level of insecurity?


  3. Doctor Syntax Silver badge

    Rice-Davies applies

    They would say that, wouldn't they?

    If the customers get things wrong so frequently it has to be asked if the vendors are doing enough to help them get it right.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rice-Davies applies

      They might well do - for a price. The vendors aren't there to do this sort of stuff for free, right?

      I just don't get the C-Suite ethos that they think that Cloud is cheap and its all automagically done for you, so dump their tech experts, lift and shift to the Cloud (note, not redesign FOR the cloud - very important point) and then think everything is rosy. Then they start bitching when the ass falls out of their world because they get compromised.

      1. Kabukiwookie Silver badge

        Re: Rice-Davies applies

        I just don't get the C-Suite ethos that they think that Cloud is cheap and its all automagically done for you

        Easy, Dunning-Kruger hard at work.

        They can get their iPhone to work without any issues. How hard can it be for 'less intelligent people' (remember those people are on a lower rung of the corporate hierarchy, so they must be otherwise they wouldn't be where they are), to configure some Cloud solution.

        1. Anonymous Coward
          Anonymous Coward

          Re: Rice-Davies applies

          "I just don't get the C-Suite ethos that they think that Cloud is cheap and its all automagically done for you"

          Cloud vendors promote that very mindset and behavior. The result should not be a surprise.

        2. quxinot

          Re: Rice-Davies applies

          >Easy, Dunning-Kruger hard at work.

          There is an argument for the Peter principle being at work here, additionally.

          Though there's the other thought, looking at who paid for the research--you can pretty much see who did the funding and assume the output.

          1. rskurat

            Re: Rice-Davies applies

            Odd, isn't it, that they can spend two or three years getting an MBA, and either never hear about Dunning-Kruger or the Peter Principle, or be utterly certain that neither one applies to themselves?

        3. fredesmite

          Re: Rice-Davies applies

          Coined in 1999 by then-Cornell psychologists David Dunning and Justin Kruger, the eponymous Dunning-Kruger Effect is a cognitive bias whereby people who are incompetent at something are unable to recognize their own incompetence

  4. K

    The biggest risk is not the applications...

    Its the "Cloud Evangelist" morons who preach AWS Security Groups are adequate, and all the value-added security tools such as AWS Guard Duty that are state of the art! ... Ironically, I can name half a common house-hold names with this attitude (all "Tech" companies), and one is very famous FTSE100 company that does exactly this (and their whole platform is based upon it)

    Rather than asking the question - Wny would AWS do this? when they earn far more by up-selling services from "Partners", from Splunk, ThreatStack, Palo Alto Networks etc, who each host their warez in AWS, and as service providers, they spend far more with AWS... So its double Peso's for the Bezo's Money Machines (Copyright 2019, K slogans)

  5. Anonymous Coward
    Anonymous Coward

    Multicloud is just fine

    "Using multiple cloud providers adds complexity, as each provider has unique capabilities which are enhanced and expanded almost daily," the group said.

    Total BS.

    Large enterprises that use multicloud typically have teams running and managing entirely separate applications with loads of pros with different competencies. Not just application development competencies but also using cloud IaaS to deploy those applications. It's not like they simply hire generic IT people/devs to run these things and then mix and match across the organization where a common skill set is needed.

    Small orgs that do hire for more generic roles would have a problem but those aren't the companies using multiple clouds for IaaS.

  6. Anonymous Coward
    Anonymous Coward

    This title is purposefully left blank.

    Upvote for Dunning-Kruger, 'cos it's funny, but not the whole story...

    There is a significant disconnect between what is preached to customers by people desperate to keep their job / earn commission and the reality of designing, project-managing, implementing, migrating data, operations, and securing workloads in the cloud.

    It is possible - I do the designing*, securing (L4-7 mandatory), and implementing for my day job.

    (*Includes correcting "perception" issues caused by sales. One reasons why I will not move to any Sales role.)

    But back to the article, cloud projects are far more at risk from the customer attitude, culture, and turf wars, than from the strengths or weaknesses of the public cloud(s) they are using.

    Anon - for obvious reasons.

  7. c1ue

    The question I would ask is:

    if the cloud is inherently more complex than on-prem - how much of the cost savings is really in the form of less inherent security?

  8. WangluXiaoyu

    Never underestimate the power of a small group of committed people (who are committed to maximizing quarterly incentive comp by shifting capex > opex) to change the world.

  9. fredesmite

    Remember - Cloud computing . .....

    Is nothing more than putting your crap on someone else's computer that other people are using , and expecting the owners to care more about it than you do..

    No wonder nothing works anymore. You can't find anyone responsible for anything.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022