[dijit]

I am the first person to agree with you, without hesitation.

But it’s worth looking at exactly what it means to attempt isolation of programs on shared hardware. SEV is an interesting way of working on it.

It seems pretty clear that your data could never be modified or read, but there’s nothing preventing starvation of resources or side-channel attacks to leak encrypted values.

Of course I also always argue against using the cloud for anything sensitive as “the cloud is really, just someone else’s computers”. Albeit with a fancy provisioning api and some proprietary services adjoining it.

[caymanjim]

I question the limits of security in cloud services, but there's more to it than the technical aspects. There's a component of CYA for regulatory compliance. If you're a financial or medical company, you've got to demonstrate a good-faith effort to implement various thresholds of security to pass e.g. SOC audits, and this helps. Nothing is 100% secure. This is a component of an overall security plan. I don't want to overstate the benefit, but it's more than just PR.

[acdha]

> Of course I also always argue against using the cloud for anything sensitive as “the cloud is really, just someone else’s computers”.

This is too simplistic: employing that argument obligates you to show how you’re mitigating the same threats on your own, especially with regards to ops and security staffing. I have considerably more confidence in any major cloud provider having robust internal monitoring than the typical corporate VMware deployment, and that even extends to bare metal unless you can air-gap it — if you get a bare metal server from AWS, Azure, Google, etc. they’ve still put more work into the firmware, management interfaces, etc. than most IT groups do and those are very juicy attack surfaces.

[dijit]

This conversation will become quickly fruitless because everyone is different levels of risk averse.

For me, I can say plainly: "this piece of equipment has these access controls, both physical and virtual and we have various radio frequency dampening systems" etc;

For you, you can think about outsourcing that responsibility.

There's no "right" answer, some cloud providers may indeed have much stricter access controls than I could ever have (for instance, budgets may require my servers to exist in a physically shared space, albeit in my own racks; those racks being porous to allow airflow). But ultimately you will never have more control than if you have complete ownership and audit capability of all systems.

I'm sure many people have lived in the same regulatory hell that I have; and I wouldn't argue that the regulatory hell is easier in the cloud or otherwise; I would instead argue that if I was the CIO; I would sleep better knowing I had done my job and not attempted to outsource the responsibility and wash my hands of it, which is what you're effectively doing, even if you trust the cloud provider, even if they've shown good faith- it's no longer your eminent domain to oversee.

[acdha]

Right: my point is simply that you have to start with a threat model and make reasoned decisions based on that and your budget. “always argue” is the same as “wrong for a significant number of people” even if it's right for your particular circumstances.

[dijit]

"Always argue against" does not equal "never give in".

But I can see how you read it that way.

I would definitely challenge you on 'wrong for a significant number of people' because if you're focusing on security then it's likely a core principle; and therefore you need to understand and be able to effectively argue your case.

And that doesn't matter if you agree with my position or not for that last point to be true.