*>>Amazon's cloud is external to its customers - Amazon's staff,* *procedures and infrastructure are a risk to its customers. *
That's as illogical a statement as the following: *XYZ Bank's technology infrastructure is external to its customers - XYZ Bank's staff, procedures and infrastructure are a risk to its customers...* *>>Except when suborned or perverted by money, patriotism or blackmail:* *http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220*<http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220> And how does you maintaining your infrastructure on-premises, but having to rely on 3rd party telecommunications mitigate the above risk in *any *way? *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* On Sun, Dec 22, 2013 at 9:44 PM, Kurt Buff <[email protected]> wrote: > On Sun, Dec 22, 2013 at 11:33 AM, Andrew S. Baker <[email protected]> > wrote: > > Kurt, half of your points also apply to 3rd party infrastructure hosting > (co-location, etc), > > and unless you're providing your own telecom services, or encrypting the > data end-to-end, > > there is always a huge reliance upon 3rd parties. > > Yes, my objections do apply to 3rd party infrastructure hosting. Our > business doesn't colo, and we have IPSec tunnels between our offices - > I'm also pushing for a second ISP. We have an internal PBX. Yes, > everyone relies on 3rd parties to some degree. It's the nature of the > world - after all, I can't manufacture the computers on which the > business runs. > > OTOH, if we did use colo - and I'm pushing it for backups/DR/BC - > it'll be on machines that have encrypted file systems, using encrypted > links, and it'll be monitored at least as well as the internal > infrastructure. > > > >>One can argue that public cloud providers are better at IT operational > security than most internal IT staff. > > > > There's no argument: Most internal IT teams lack knowledge and/or > resources for adequate security when > > compared with cloud providers. Perform enough security assessments of > different types of organizations > > and the patterns will become very, very clear. > > Except when suborned or perverted by money, patriotism or blackmail: > > http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 > > > If your argument is that internal is always safer than cloud, then you > have to remember that many cloud > > systems *are* in fact internal to someone. Just remember: Amazon's > cloud infrastructure is internal to Amazon. > > Amazon's cloud is external to its customers - Amazon's staff, > procedures and infrastructure are a risk to its customers. I don't > argue that internal is always safer - but it's incontrovertible that > 3rd parties add risk, because the more complexity you add to any > situation, the more risk there is - if for no other reason than that > there's more chance for things to go wrong. Whether the 1st party is > competent is a different matter, and one that's more tractable a > problem than 3rd party risk, IMHO. > > Kurt > > >
