Re: What about requirements for secure documents?
And there's a plausible argument in favor of it, honestly. If there are 10,000 companies that need secure information storage, it arguably makes more sense for them all to outsource that work to one of a handful of companies that specialize in providing secure information storage, rather than every one of those 10,000 companies coming up with its own system for secure information storage.
Plausible? Yes. Conclusive? I am not convinced.
Firstly, if you have a smaller number of systems, even if each of them is individually less likely to be hacked or fail, the consequences of one doing so are greater.
It will usually increase the attack surface. An internal system may only be accessible from the local network, or the corporate VPN. A more centralised system will usually work over the public internet. Most big security breaches these days seem to be of systems accessible over the public internet, that do not need to be - including things such as databases in the cloud that only a few people need to access directly.
There is also the complexity added by systems - configuring things like AWS permissions is horrible and creates a lot of room for human error. Of course its not the providers fault, but it is inevitable.
Given the state of IT at a lot of companies that's probably not a very high bar to clear.
1. the same internal IT have to get these things properly specified and configured. We are just changing the required skill set from knowing OS and network security etc. to how to set up whatever providers systems.
2. there is no bar so low I would trust the giants of IT to fail to limbo under into.
This is also exactly why all the cloud companies have been working on security standards compliance and the ability to specify where in the world your data will be stored and all the rest of it.
The problem with security standards is that they easily become box ticking exercises.
With cloud stuff everyone can blame someone else and no one has their job on the line if they mess up.