| This is something I've been thinking about as a user (provisioner) of cloud services like Heroku, AWS, Google, and VMs from Linode and Digital Ocean. Especially with the potential of state actors trying to cripple large businesses (I don't actually know how serious a threat this is TBH). Sure they take security further (I hope) than I would provisioning my own hardware, but I also worry about how large a target they are and how much more complex their systems are (increasingly large attack surface). It's appealing to just let someone else handle my hosting, including security, but I also wonder if I'd be better off running colocated metal. I mean I still have to worry about the hosts network and physical security when colocating, but it's a much smaller attack surface, and also a far smaller target than massive hosts like AWS. I think cloud provider's might need to level up their security practices, even if it incurs some friction with their customers and staff. I don't even know if it is feasible to evolve as fast as potential attackers from a cost perspective over the long term for many (or all) of them. Not to single anyone out, but take Digital Ocean as an example. They're constantly adding features to their platform. I assume this increases their attack service? How much weight are they giving to security as they add features? I assume quite a lot, but I don't really know! Another example is AWS, who are constantly growing their features / services (to the point where it's near impossible to navigate all of their offerings!). Every cloud provider is doing the same. There's also no real accountability. If my database on Heroku (or another provider) is compromised it could have a massive impact on my business, but at most it might mean losing a customer for my hosting provider, and maybe some bad press (not really enough though IMO). So the incentives aren't perfect. |