> As to your second point, security through obscurity is generally believed to not be worthwhile.
Security only through obscurity - sure.
But obscurity as an additional layer, as part of a defence in depth strategy, still has some value.
It’s rare for any large org to publicly discuss any details of its security design, let alone a bank. Monzo must be supremely confident in their system to go public with this information, or judge that the marketing/recruitment benefit outweighs any potential risk.
What about you are now exposing yourself to additional risks from e.g. a malicious employee at the cloud provider, or jurisdictional risk from FISA requests to the CP?
Because now you have risk from malicious employees at two organisations, your own AND the cloud provider, instead of just one. Furthermore, you have very little visibility into the cloud provider's security practices. And for anyone saying that cloud providers are inevitably more secure than your own organisation, have a look at the Azurescape vulnerability.
You can, and indeed must, mitigate risks from employees. These are part of regulations around financial services, which starts with PCI-DSS for payments and becomes more encompassing as you move up the service ladder. The types of cloud providers who can tick those regulatory boxes for you naturally wants to pass those costs to someone.
* For individual banks and their customers, is it more likely that an AWS-wide exploit will compromise an AWS-hosted bank, or is it more likely that a self-hosting-specific exploit will compromise a self-hosted bank?
* For society, is it better that security efforts are concentrated in on centralised providers like AWS, or is it better that security efforts are distributed, on individual hosting entities?
>That's more or less the same question as "what if the data center/servers operated by the bank gets compromised".
The difference is that cloud relies on public services, which once compromised (e.g. via social engineering), allow for lateral attacks resulting in much bigger impact (e.g. Lapsus$) across the complete customer base. This makes social engineering much more attractive in cost vs impact. The resulting monoculture in not only the software, but the infrastructure and configuation also increase the impact on technical attacks on specific exploits.
Security only through obscurity - sure.
But obscurity as an additional layer, as part of a defence in depth strategy, still has some value.
It’s rare for any large org to publicly discuss any details of its security design, let alone a bank. Monzo must be supremely confident in their system to go public with this information, or judge that the marketing/recruitment benefit outweighs any potential risk.