It's quite ironic that the recent centralization and cloudarisation of the Internet (& electronic devices).
When everything was local and private, the attacker could only access a specific device or network, even if the security was often very weak. Now a single attack on a centralized entity has such a big payoff, that it makes if viable to allocate much bigger resources by attackers.
I feel like once google had enough of a stranglehold on email for gmail to start blocking independent email servers (for valid security purposes probably) it was basically game over. It became incredibly difficult for an individual to run their own communications platform, even when following best practices. Luckily there are solid paid services, but as you point out, those are still "the cloud."
This has largely held true for AWS and I think it's still a meaningful argument in a broader discussion when determining how you want to build your company infrastructure.
Key part is simple. For some apps I wondered why I had them in the "cloud" in the first place. And then I had to do something every month or two because I had to migrate to some stupid new version of an environment, do some DNS entries because the apps couldn't send mails anymore, configure the shitty IAM of the cloud provider I didn't need. Register my apps for some stupid database access.
Now I have apps where I need 15 minutes of maintenance a year, install and configuration takes 5 minutes.
Some cloud providers have amazing stuff, but I feel they all start to bloat and I don't have use cases that need whole clusters.
It's already started. I design systems in a european country and there are already municipal and state agencies requesting us to make more on-prem stuff. I also heard of various projects to create more European cloud services.
On-prem hardware may become fashionable but simple server hosting most likely not. If it ever becomes fashionable then most likely it will be some form of container (or Kata Container) orchestrator on top of on premise hardware.
Also even for softwares deployed on on-prem hardware, big orgs will still need single sign on, which will still be open to these kind of attacks.
I half hope so.. for the larger companies who can afford and will maintain their infrastructure security i absolutely agree. At the same time i do see the benefits of a managed system for the smaller not so rich companies or businesses!
There is a best of both worlds in there and I think we've gotten where we are now because of cloud providers marketing themselves suitable for everyone.
These problems are specific to Microsoft though; outside of service outages and customer misconfiguration, AWS and GCP don't have a history of such incidents.
Was the Capital One breach not a result of gross internal malpractice on the part of Amazon? That allowed an Amazon employee to gain priviledged access to CC data in Capital One's environment.
Doubt it. Data governance and access control is just getting to be a bigger deal with each passing year, and nobody wants to (pay enough to) self-manage that. Or to take personal responsibility for it.
Maybe “on prem” but largely managed by someone else, which is already a thing.
It's ironic that data governance and access control are getting to be a bigger deal every year exactly because everyone migrated off premises to the cloud. People lost control over their data when they migrated it to the cloud and now they try to take control back by imposing more and more policies.
Kinda, but a lot of it’s managing and auditing internal and external access, and maintaining data and source catalogs and crap like that, down to granular levels and across multiple levels of data-cleanup/polish/transformation and reporting. The machine learning/LLM push (biiiiig hype in companies) is making that even messier. The solutions that don’t involve a horrifying amount of DIY are heavily cloud-oriented.
[edit] to editorialize, I also think ~everyone is going to get this very wrong. I think doing this stuff such that you don’t grind productivity to a halt but also don’t have mile-wide vulnerabilities is goddamn near an Apollo Program level of difficult, and basically nobody is treating it that way (and a lot of them would probably sooner abandon their grand mass-data-total-control plans if they had to treat it that way—which is exactly what I think most of them should do, but execs just love the idea of perfect legibility of data and processes end to end on their phone or whatever, even if it’s in-fact just a money-wasting and risk-generating fantasy for most companies)
That's part of it, the other parts are the rise of ransomware (enabled by cryptocurrency?), geopolitical drama with Russia/China, and large commercial ML models appetite for data. I would say cloud is 3rd or 4th down the list.
Microsoft obviously cares about its stock but it also relies on long term contracts with large enterprise and government - those aren't rolling overnight, maybe not at all, but there will be immense pressure from these massive organizations to fix things.
What I think one of most potential future, low code or no-code will be last resort of hosting stuff somewhere affordably. Given how WordPress introduced 1 century subscription. With the complexity of systems there is no such thing as simple server hosting.
It's actually often cheaper[1], assuming you need a relatively fixed amount of compute and have the capital for upfront costs. Cloud gives you a lot of flexibility, but at a premium, and trades CAPEX for OPEX which is very appealing if you're a startup and don't know if you'll be around in a year.
Careful with blanket statements like these. Run a system with high sustained compute and data egress; even when accounting for engineer time (and people often neglect to account for time spent administering cloud infra), the cloud markup is huge. While it works for some companies, cloud is not universally cheaper.
This is the sentiment i share, which i think it's important to hammer down the point that it's the fault the cloud providers marketing themselves to be suitable for everyone. Because if they don't get as much money as possible then they don't see a purpose.
For on-prem or cloud, you need some engineers (either SRE or SysEng) to handle your hosting infrastructure. So, not much difference in cost there. Then, there is all of that compute. Currently, an AMD EPYC 7551 system can be put together for about $2.2K USD. That’s 64 threads, 256GB of RAM, redundant 2TB NVMe in RAID1, plus chassis, power and such. The equivalent amount of compute being available 24/7 is going to be extremely pricey over time.
My current employer handles things where internal service at the org are on-prem while customer facing services are cloud. Even the cloud stuff backs up to an on-prem storage system (though it also gets backed up to an off-site S3 provider).
I also held this view for a long time but what you are talking about is basically Amazon EC2. There are, what, 200-250 AWS services, however, and that's where things begin to become more interesting. Can you replace any of them with in house solutions? Certainly. But the costs of doing so might not be favorable.
You could operate an on premise bakery but most companies just order donuts.
True, but even a single server is a lot cheaper on Linode, and cheaper still on OVH, even the best quality colo and dedicated server providers, than on any cloud. On-prem is going to be cheaper than that. And internet connectivity ... is more expensive than it was in 1990, and generally pretty much free in colo or dedi services.
Most software vendors switched to subscription model, so that’s not obvious anymore. Yeah and as you mention, good luck getting experts for all of your software and hardware components unless you are a big tech company.
And not guaranteed to solve problems like this. Because at the end of the day, the maintenance of a cloud infrastructure is irreducible complexity so you replace having a breach because a centralized controlling authority made a mistake with having a breach because your own hired staff made a mistake and you got infiltrated by either a lucky drive by or a persistent attacker against your organization.
It's not exactly a replacement. Your own hired staff can still mess things up in the cloud and leave a door open. The cloud doesn't magically apply all the best practices on its own. See all the people caught with open access to S3.
