Yes, the shared responsibility model long predates the cloud, but the cloud era is proving that true sharing of responsibility is more complicated than it seems, leaving enterprises less secure as a result.
Too many people don’t release that ‘cloud’ just means ‘someone else’s computer’
As someone who’s worked in this environment, the providers are screwed either way.
If you do nothing, then a customer is mad that you were not secure enough and they got hacked.
If you do something, then a customer is mad that you’ve made security changes that break their shit.
At the end of the day, the devops people using this stuff don’t understand security, and don’t want to understand it. But no matter what the provider does, it’s wrong for some segment of their users, so like, it’s not that they won’t secure it, it’s that the feedback is negative as all hell when they do.
So much of my job in security was getting people to sign off on risks they would not patch.
Yeah we did security notices based on customers doing stupid shit, and got yelled at for “annoying” them with an email every week or two, depending on when the reports we ingested were turned into notifications.
So many people screeching about spamming them, and harassing them, and how this was bullshit and they never had this problem with other PaaS platforms.
…until, of course, oopsie their shit was hacked, and NOW it’s my fault we didn’t warn them enough.
I am never working for THE CLOUD ever again, lol.
