On Sun, Dec 22, 2013 at 11:33 AM, Andrew S. Baker <[email protected]> wrote: > Kurt, half of your points also apply to 3rd party infrastructure hosting > (co-location, etc), > and unless you're providing your own telecom services, or encrypting the data > end-to-end, > there is always a huge reliance upon 3rd parties.
Yes, my objections do apply to 3rd party infrastructure hosting. Our business doesn't colo, and we have IPSec tunnels between our offices - I'm also pushing for a second ISP. We have an internal PBX. Yes, everyone relies on 3rd parties to some degree. It's the nature of the world - after all, I can't manufacture the computers on which the business runs. OTOH, if we did use colo - and I'm pushing it for backups/DR/BC - it'll be on machines that have encrypted file systems, using encrypted links, and it'll be monitored at least as well as the internal infrastructure. > >>One can argue that public cloud providers are better at IT operational > >>security than most internal IT staff. > > There's no argument: Most internal IT teams lack knowledge and/or resources > for adequate security when > compared with cloud providers. Perform enough security assessments of > different types of organizations > and the patterns will become very, very clear. Except when suborned or perverted by money, patriotism or blackmail: http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 > If your argument is that internal is always safer than cloud, then you have > to remember that many cloud > systems *are* in fact internal to someone. Just remember: Amazon's cloud > infrastructure is internal to Amazon. Amazon's cloud is external to its customers - Amazon's staff, procedures and infrastructure are a risk to its customers. I don't argue that internal is always safer - but it's incontrovertible that 3rd parties add risk, because the more complexity you add to any situation, the more risk there is - if for no other reason than that there's more chance for things to go wrong. Whether the 1st party is competent is a different matter, and one that's more tractable a problem than 3rd party risk, IMHO. Kurt
