"Security researchers agree" is a very broad statement. I don't believe there is a consensus at all.
Fragmentation creates different problems than centralization, but it isn't a magical bullet either. Depending on your resources, you are far, far better off trusting even Microsoft than trying to come up with your own security implementation.
I like how you open with "you are correct" then go on to completely ignore the GPs comments.
I've been doing this stuff for longer than a lot of people on here have been alive and the biggest risk is always your weakest link. The weakest link in most companies isn't the cloud, it's the engineers deploying to the cloud. That weak link exists regardless of whether those engineers deploy to a centralised place or on-prem.
Is there an additional risk having something centralised? Sure. But in the vast majority of use cases, that risk is going to be marginal (and for those types of businesses where it is an unacceptable risk, they are largely not using public clouds for exactly this reason).
And we are back to my point about these conversations being nuanced. A security team, if they do their job correctly, doesn't just make blanket statements like "centralised systems are insecure" -- instead they identify the risks and develop an IT strategy based around which risks a business is willing to accept and which are not.
Well, the supposition GP made was that Security Experts AGREE ON ANYTHING. Which is a patently false supposition.
Some warn, others ignore. Is true. It's true for every industry, every walk of life, in every country, on the entire planet.
Experts, though, when have they agreed on anything, in any field?
One must ascertain for themselves which authoritative sources can be relied upon. The experts that warn of centralization are authoritative and masters in their fields.
Centralization in any other area of life tends to be bad for citizens, so I ask you this: Why would centralization lead to MORE security, or MORE benefit to the users and citizens of the world?
> Well, the supposition GP made was that Security Experts AGREE ON ANYTHING.
That’s not what they said
> Centralization in any other area of life tends to be bad for citizens, so I ask you this: Why would centralization lead to MORE security, or MORE benefit to the users and citizens of the world?
I had already addressed the point about centralisation and risk. This additional question you’re raising is, at best, a straw man argument.
If you go back and read, and I mean properly read, pause and think about the comments being made, you’d realise that we aren’t saying risk doesn’t exist. We are saying the reality of that risk depends on numerous factors specific to each business, project, and even team. Thus you cannot distil “the cloud” down to a single truism such as what you keep trying to do.
Cloud is centralizing. Centralizing, instead of distributing, is bad.
Centralization broadens and expands the attack surface and creates a honey pot for attackers.
This isn’t hyperbole nor is it alarmist. This is reality playing out before us in real time.