| HN Mirror

There is a middle era between a cable in a datacenter and a misclick in a cloud. Currently, on-prem is still 1 misclick away from accidental exposure (unless it's been untouched for 20+ years).

Be it with a legacy DMZ setup or a bit more segmented with a ADC/Proxy policy that is slightly too wide. You can make those exact same mistakes with a stack of PaloAlto/Cisco/F5/IIS.

Unless you're running an entire OpenStack setup with SDN layers and policies (hit: most on-prem setups don't), there is a crapton of re-use when it comes to systems, and a classic webserver that used to be just for public stuff will just as much have some private applications added 'temporarily' (read: forever) and a crappy WAF / Proxy rule that is supposed to deny public access but gets bypassed with a simple URLEncode.

Doing the lower layers requires knowledge and dedication, of which the first is getting harder to find (not easier) and the second is getting squeezed out of most processes since it isn't something that gets quantified as value.

So no, it doesn't balance out, and no, the cloud doesn't do a magical new layer of things that on-prem couldn't do, even if on-prem usually fails to deliver on an abstraction layer (while the cloud does have it). A cloud does make it much more visible, cost-wise and impact-wise, because you can't hide in a cloud. What goes into a cloud API also comes out of the cloud API, there is no network scanning and hoping you find all hosts and appliances, everything that exists can be queried, and also gets billed with plenty of detail. On-prem has none of that, and the last 30 years of inventory/asset management attempts has proven that it's still something most on-prem setups don't do at all, or do a really crappy job at.