Hacker News new | ask | show | jobs
by shearnie 3593 days ago
We've managed to get confidential data stored in Azure for a large financial organisation, all compliances they required passed.

A server is a server right?

Problem could be cultural and generational. Some old school types like the idea of a server without redundancies and fire prevention and fault tolerance and high security clearance in a data center. They want it to be blinking lights at them in a cupboard on premises. They feel it is safe due to physical proximity, even though their firewalls are like cottage cheese.

We're noticing that issue with health data for medical practises. Older people are suspicious of cloud. The younger generation are more savvy.
3 comments
manicdee 3593 days ago
The younger generation are more gullible, lacking awareness of data security, oblivious to data sovereignty, and easily distracted by squirrels.

An Australian census is never going to take place in hardware controlled by a foreign national on foreign soil, especially not in a country where cloud servers have been seized in the past for simply having the possibility of containing data associated with a person associated with a crime.

One thing you will learn as you gain real world experience is that there is no such thing as "too paranoid" when it comes to IT projects handling sensitive data.

link
viraptor 3593 days ago
I know this is a popular way to look at things around here, but no. It's not about cloud / no cloud. People with sensitive data welcome VMs and cloud deployment - as long as the cloud is in a very separate datacentre with only local people handling it.

Look at the actual rules and what risks they want to protect from: http://www.abs.gov.au/websitedbs/D3310114.nsf/4a256353001af3...

Here are some of them:

    2. an audited linking environment, involving staff activity being logged, monitored and, if
    inappropriate activity is found, investigated. Any misuse would result in immediate
    termination of access for the staff member, with further sanctions imposed if necessary;
    3. ABS staff and in-posted officers sign legally binding Undertakings of Fidelity and Secrecy to
    ensure they are aware of their obligation to protect confidential information, and the
    consequences of disclosure (which include criminal penalties);
    4. enforcement of the clear desks and clear screen policy;
    5. access on a ‘need to know’ basis;
How do you enforce those rules on AWS / Azure / whatever provider's staff? How do you make sure only people with appropriate clearance access the servers?

    7. Vulnerability Assessments are carried out on all new IT Systems by specialised staff in IT
    Security trained in the field of Ethical Hacking;
How do you get those providers to agree to internal pentest exercises?

At that point, it's just easier to stuff some more servers in the government datacentre - completely isolated from other projects. And whether it's cloud or not is a completely separate thing - it may as well be on OpenStack.

> Older people are suspicious of cloud. The younger generation are more savvy.

So no, this is complete bullshit. (and so is putting this as us-vs-them - I'm part of a fairly young generation in the CS, working on cloud infrastructure, and I still would not want to see census data processed anywhere outside of "no phones in the building" government environment)

link
Gatsky 3593 days ago
That's great, but you are trusting AWS. If someone has access to the server hardware thay can completely own you and all your TLS data. End to end encryption is one way, but my understanding is that achieving this in browser with javascript isn't a good idea.
link