I see a lot of articles say things like "They now run this service in the cloud—which brings its own set of security challenges." I wish they would equivalently write "They run their IT in their own data centres—which brings its own set of security challenges."

DIY infrastructure? Oh that's obviously secure. Professionally-run commercial clouds? Whoa, they're risky.

@paco I've never been in a position to implement either of the two. And of course there are pros and cons to both according to your needs. But I'm also not dumb enough to think my security would be better than Google's or the other big corps.

@paco Well put.

To play devil's advocate, the advantage of running on-prem services is you accept all the risk. With cloud / off-prem services, it's the provider you're putting trust into.

My thinking is: When I set up my on-prem stuff, I do it to the best of my ability and I can see EVERYTHING I might do wrong. Root access, basically.

With off-prem, I can't effectively control what fuckery Amazon/Google is up to and I can't influence them to do otherwise.

@paco Case in point: One of the sites I used was using plaintext password storage. I told them it's bad practice.

Their reply?

"Just don't reuse passwords, man! We're fixing it, ETA 2 months."

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.