[idrios]

I think the word "easily" is carrying a lot weight here -- for a company the size of Disney, keeping all internal communication records in secure offline storage sounds pretty hard from both a technical and operational standpoint. Certainly doable, but I doubt it'd ever happen unless it were required by law

[viraptor]

There are various levels of offline. For example you can have an S3 bucket with write-only access. No, it's not perfectly offline. But it's isolated from both vulnerabilities and from hacked employees, which covers most common types of breaches. You can solve 99% of the offline storage features without having an actual physical location with tapes.

[compootr]

what about hacked employees' aws accounts?

[viraptor]

Employees shouldn't have default access to those credentials. This applies to audit/backup/account management/billing privileges. You can have very dedicated roles with lots of restrictions for those specific things.

[mlyle]

Unless they're highly privileged enough to turn on read access to the bucket, you're fine. Thus, you can contain most breaches of credentials.

[inkyoto]

If the organisation doesn't use SSO coupled with MFA and the enforcement of the least amount of privileges principle on a cloud platform, then they have no right to complain about security breaches.

[SilasX]

I guarantee you that large-cap, highly scrutinized public companies comply with much harder regulations and internal controls than this.