this post was submitted on 03 Sep 2024
19 points (95.2% liked)

Cybersecurity

5935 readers
17 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
 

Yes, the shared responsibility model long predates the cloud, but the cloud era is proving that true sharing of responsibility is more complicated than it seems, leaving enterprises less secure as a result.

top 4 comments
sorted by: hot top controversial new old
[–] [email protected] 8 points 4 months ago

Too many people don't release that 'cloud' just means 'someone else's computer'

[–] [email protected] 6 points 4 months ago (1 children)

As someone who's worked in this environment, the providers are screwed either way.

If you do nothing, then a customer is mad that you were not secure enough and they got hacked.

If you do something, then a customer is mad that you've made security changes that break their shit.

At the end of the day, the devops people using this stuff don't understand security, and don't want to understand it. But no matter what the provider does, it's wrong for some segment of their users, so like, it's not that they won't secure it, it's that the feedback is negative as all hell when they do.

[–] stringere 2 points 4 months ago (1 children)

So much of my job in security was getting people to sign off on risks they would not patch.

[–] [email protected] 2 points 4 months ago

Yeah we did security notices based on customers doing stupid shit, and got yelled at for "annoying" them with an email every week or two, depending on when the reports we ingested were turned into notifications.

So many people screeching about spamming them, and harassing them, and how this was bullshit and they never had this problem with other PaaS platforms.

...until, of course, oopsie their shit was hacked, and NOW it's my fault we didn't warn them enough.

I am never working for THE CLOUD ever again, lol.