
"Go to the cloud", they said.
What could possibly go wrong?
A ransomware infection at a cloud IT provider has disrupted services for 60 or so credit unions across the US, all of which were relying on the attacked vendor. This is according to the National Credit Union Administration, which on Friday told The Register it is fire-fighting the situation with the credit unions downed this …
Go to the cloud ... what could possibly go wrong? A thunderstorm, a tornado, a hurricane with only 38 inches of rain ... ransomware is actually worse these days. So I'll update a Brendan Behan quote from years ago into today's world ....
"The Internet is a lovely consolation to a fellow alone in the cell these days. The lovely cloud access with a bit of ransomware stuffing in it, if you could get a few million pounds it is as good a smoke as I ever tasted."
The cloud is great for some applications, but not most applications, and certainly not all applications. The cloud is great for things which have large demand-swings, and have no uptime requirements, and also host public, non-confidential, non-PHI, non-proprietary, non-secret data: VirusTotal (.com) is such an example.
One reason the cloud sucks for anything a company ought to keep private is because of the business model the cloud companies use: it's just like the business model used by many service-hosting companies (email, web sites, etc.) -- the hosting companies use as few, and as minimally-trained staff as they think they can get away with, and provide as little support as they think they can get away with, because (some of) their profit is the difference between their personnel costs and the rates they charge their customers.
Another reason the cloud sucks for anything a company ought keep private is because the cloud-hosting companies are so big, and a staffer's brain-fart or keyboard fat-fingering can affect swathes of virtual systems.
On the other hand, if smaller credit unions were running their own internal IT operation the level of competence will vary widely. Some might have all the latest patches and technology, and others see it as a cost center and there are running antiquated technology that's updated only as required by outside regulation, and you have no way of knowing which side your credit union is on until it is too late.
The service providers are hopefully more likely to be on the 'well run' side of things since providing that service is their company's main business. That's no guarantee they are, and even when you do things "perfectly" if you're hit with a zero day flaw there's nothing you can do about it.
"Security through obscurity" has historically proven to be a flawed method. There's always at least one knowledgeable, skilled techie willing to pimp his/her/their services out to criminals. (There are also less-knowledgeable, less-skilled techies willing to pimp their services out to criminals, but those people tend to end up in the headlines, either as nicked by the coppers, or killed by their dissatisfied employers.)
"The Cloud", this magical thing that is getting sold all over.
When all it really does is make security that much harder because you're never sure who really has access to that stuff, and if your internet craps out you can't get to it anyway.
Don't get me wrong, it's a great solution for some stuff, but too many people are putting all their eggs into that one basket, and it's going to bite them hard.
Oh, wait, it already did. Meh, they won't learn their lesson, since the folks who get yelled at to fix it aren't the ones who made the decision to purchase the crap in the first place.
(yes, I'm still bitter)
One advantage of "the cloud" is that you should be able to delete the main hosting account and bring up a clean replica in a day. Most serious companies practice bringing up a replica annually. It's part of a process called disaster recovery.
If I was buying cloud services from a disaster recovery business that can't do this, I'd want a retroactive refund.
For anything important, digital should be treated as an unreliable luxury layer on top of a core physical service.
Keep as much stuff offline as you can, train your staff and pay your techs well, maintaining good security and encryption for online services.