>For those who say cloud isn't less secure than on-prem...
I mean that's fundamentally untrue, simply from a trust, venn-diagram point of view. With cloud you have to assume an additional trust with a third party that you don't with on-prem.
Is this difference meaningful? that's arguable. But no matter which way it's argued it's still fundamentally true that in direct comparison between a cloud-hosted and self-hosted system, the cloud-hosted version inherently requires that a higher level of trust.
I agree with OP, but this is not true. You can trust Amazon to be better at security than you are. In essence, depending on how (in)competent you are, cloud allows you to convert money into security.
If I am a complete zero when it comes to securing my home, and I get a professional contractor to do it. Is that "inherently less secure" because I have to trust him, now, too? Not necessarily, if he does a much better job than I would have done. It can make up for that extra trust.
If you are as competent, or more, than Amazon: sure. You are right. But not all of us are so lucky :)
>You can trust Amazon to be better at security than you are.
You can't blindly trust them to be that, rather you determine them to be that. On an individual provider level you can definitely assess their capabilities and make that determination. But any attempt to blanket extend that to 'cloud providers' is an absurdity.
There is no common element among 'cloud providers' that makes one provider's competence at security extend to any other provider under that same banner. Yet today common groupthink is 'cloud hosting is more secure than self hosting'. Nonsense.
A simple reword reveals the absurdity: 'Allowing other people to run your IT systems is more secure than running it yourself'. The buzzword 'cloud' somehow turned a nonsense into a widely parroted myth.
I don't see how that's absurd. There is absolutely no way I could run a system myself that's more secure than what I could get by paying someone else to do it.
Again, a blanket statement that can't possibly be true.
What system are we talking about? What third party are you talking about that you're gonna hand money over to do this on your behalf? These things matter, and there are many answers to those those questions where yes, you could indeed deploy and run a system yourself and be more secure than a provider, because for what you say to be true, your relying on a false belief that because someone offers a service (whether for money or not), that inherently makes them more competent than you to operate and secure that service.
There are cloud service providers that are able to offer a more secure base service than 99% of it's consumers would be able to create independently. I am not challenging that assertion. I'm challenging the commonly-expressed belief that individual cases where that is true in any way extends to the blanket claim being made in the parent. That is 'Some cloud providers are more secure than their customers therefore all cloud providers are more secure than all their customers'. No. Absurd.
This is something that can be proved for individual suppliers and with suitable assessment/verification processes. To extend that to 'cloud providers' as a whole is absurd. If you can't see that then fair enough, I truly wish you luck because that's ultimately all you'll be relying on if you choose to play in this space.
When you say 'There is absolutely no way' what you must surely mean is 'Under certain circumstances it is the case that'.
I remind you of one simple example: Dropbox ran for a significant period of time with a system that allowed any person to log into any dropbox account, with any password.
> You can trust Amazon to be better at security than you are.
Unless you have more access to Amazon internals than everybody else, then you can't really know that for sure. Even if you did, it's only true if you've decided to let it be that way. There's nothing stopping a company from hiring great security people, and implementing their own great security.
Also, there are many scenarios, like a defense contractor handling sensitive information, where I would expect the the in-house (or in-government, I guess) security to be a lot better than Amazon's.
> There's nothing stopping a company from hiring great security people, and implementing their own great security.
Money.
We can afford to pay Amazon for their services and reap the benefits of their security investment and experience as part of the purchase.
We can't afford to hire someone to be dedicated to security.
If you're a small business, and/or security isn't one of the core components of your business, chances are you'll make better use of your security 'budget' (or lack thereof) dollar-for-dollar by paying Amazon.
I've also worked for a defense contractor, and the company I worked for, and the facility I worked at, took securing classified information very seriously. The consequences for screwing it up can literally be prison time, so I'm really surprised to hear the company you worked for didn't take it more seriously.
In this specific case, it doesn't sound like the "sensitive Pentagon Files" were classified at all, though, so it's probably not as big of a deal as the article is making it out to be.
The main issue is not necessarily security in the traditional sense, but rather the proper use of the security that AWS provides. In this case, AWS more than delivered by providing plenty of options to secure the files. You can make them private, use encryption, generate temporary access URLs, etc. However the user (contractor) simply made a mistake and misconfigured the service. This is why I developed https://cloudsploit.com - to catch these kinds of misconfigurations before they bite you. It's not enough to just have security available you actually have to implement it properly.
You're right that's a huge issue also - And Amazon (to use your example) also takes great pains when engaging with customers to stress that their security competencies and certifications absolutely do not extend to a customer's use of their platforms.
For an obvious example, if Amazon has PCI DSS compliance and a customer comes along and builds a payment gateway on AWS services, that customer is not also PCI DSS compliant by extension.
But this thinking extends to all of the security assertions/certifications/measures that Amazon puts forth.
That is to say, 'we secure the platform but you can absolutely make an insecure mockery of a system on top of that platform'. In all cases you must implement your own security protections and processes on top.
I mean that's fundamentally untrue, simply from a trust, venn-diagram point of view. With cloud you have to assume an additional trust with a third party that you don't with on-prem.
Is this difference meaningful? that's arguable. But no matter which way it's argued it's still fundamentally true that in direct comparison between a cloud-hosted and self-hosted system, the cloud-hosted version inherently requires that a higher level of trust.