SMB resources on the move
-
@scottalanmiller said in SMB resources on the move:
And remember, if you are encrypting your data, then breaching Amazon doesn't breach you anyway. You still have to be breached additionally.
And that's the same with on premise data.
-
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
-
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
And remember, if you are encrypting your data, then breaching Amazon doesn't breach you anyway. You still have to be breached additionally. So in most high security cases, even the fear of the low risk of Amazon being breached is effectively unfounded. Even Amazon won't necessary have access to your data.
And that's the same with on premise data.
Not totally, with on premises they also know whose data they have BEFORE the decrypt it. On AWS, they do not. So not the same. Not totally different, but not totally the same.
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical.
-
@stacksofplates said in SMB resources on the move:
That does come into play, but we are approaching from a purely technical side.
Should not, that will potentially lead to spurious security data.
-
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I
Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I
Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.
But now you're changing what we were talking about. Physical was never mentioned, and it was you that mentioned people using automated scripts for hacking. That's what we are talking about. Physical would not allow people to use their computers outside of the office because of the risk of cached credentials.
-
You're also not taking into account the fact that other people actually control the data. I recently lost my phone that had my 2FA for my Vultr account. I needed 3 pieces of information that gave me complete access to my system again. The keys to your kingdom are either a password, or the help desk guy on the other end.
-
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).
There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.
But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.
This.
I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did. -
Don't get me wrong. I agree that most places should switch to cloud. I'm not arguing that at all. But there are legitimate reasons to not, and that has been said, I just wanted to reiterate.
Plus I like playing devil's advocate.
-
@scottalanmiller said in SMB resources on the move:
like the CIA
Do you really think they have the same caliber talent as Amazon?
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
the chances of their data being found and utilized and identified remains close to zero
How is that logical? The hacker isn't going to comb through everything manually. They'll grab everything they can.
Sure, but grabbing gobs and gobs of unidentified data that isn't targeted means that combing through it is very, very hard. Just because they have it doesn't mean that they can identify it, will ever get to it or will attempt to exploit it. Might they? Sure. Has there been a breach? Yes. Is it meaningful? Possibly not.
If you had all of the data from Amazon's AWS.... 99.999999% of it would be useless to you.
Right but the issue with this is, you have no idea that they got it. If you get notifications for access to your system, you know someone got in. If they break into your office, house, whatever and physically steal it you know someone got your stuff. You can start acting on it immediately. If someone has your data and they don't even know they have it, but sell 500 TB to someone and they find it. It might be years before you find out. Sure CC numbers prob won't matter, but IP and confidential info will be a problem.
-
That's why you would treat a breach of Amazon as a loss of control of your data and put the mitigations in place, even if you don't need them, better safe than sorry.
-
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I
Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.
But now you're changing what we were talking about. Physical was never mentioned, and it was you that mentioned people using automated scripts for hacking. That's what we are talking about. Physical would not allow people to use their computers outside of the office because of the risk of cached credentials.
What do you mean? We were talking about security, right? Physical is the most important part of security. It was never left out and if we are talking about why one over the other around security, it is always a component. You can't separate it out and look at the picture without it, it becomes misleading.
-
@BBigford said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).
There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.
But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.
This.
I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did.No, nothing is HIPAA restricted like that. That is a myth. HIPAA does NOT undermine security. That's someone who is just lying to you.
-
@stacksofplates said in SMB resources on the move:
Don't get me wrong. I agree that most places should switch to cloud. I'm not arguing that at all. But there are legitimate reasons to not, and that has been said, I just wanted to reiterate.
Plus I like playing devil's advocate.
And what I'm saying is that outside of politics and people with an agenda that directly undermines security - that all of those reasons themselves are security risks. They are hubris and a misunderstanding of security. There are plenty of reasons not to go to cloud, security isn't one of them. Only things that override security are.
-
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
like the CIA
Do you really think they have the same caliber talent as Amazon?
Nope, that's why they choose AWS. The CIA Director said it himself, that they can't secure to the level that Amazon does.
-
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
the chances of their data being found and utilized and identified remains close to zero
How is that logical? The hacker isn't going to comb through everything manually. They'll grab everything they can.
Sure, but grabbing gobs and gobs of unidentified data that isn't targeted means that combing through it is very, very hard. Just because they have it doesn't mean that they can identify it, will ever get to it or will attempt to exploit it. Might they? Sure. Has there been a breach? Yes. Is it meaningful? Possibly not.
If you had all of the data from Amazon's AWS.... 99.999999% of it would be useless to you.
Right but the issue with this is, you have no idea that they got it. If you get notifications for access to your system, you know someone got in. If they break into your office, house, whatever and physically steal it you know someone got your stuff. You can start acting on it immediately. If someone has your data and they don't even know they have it, but sell 500 TB to someone and they find it. It might be years before you find out. Sure CC numbers prob won't matter, but IP and confidential info will be a problem.
Right. And if someone breaches Amazon, you are more likely to have them get caught, more likely to get notified quickly and far, far, far more likely to be able to start mitigating risks days, months, years, maybe decades before the people who might have gotten your stuff even know that they got your stuff.
Again, all security aspects like this favour Amazon, rather than point against it. Amazon has better monitoring, better ability to know what has been breached. No monitoring is perfect, but Amazon's is considered the best ever made. Like I keep saying, feeling any SMB could even approach Amazon's level of security is hubris and is itself an example of a security risk.
It's a simple conundrum - any SMB that thinks it can compete with Amazon in security demonstrates that it cannot by thinking that it can.
-
@scottalanmiller said in SMB resources on the move:
@BBigford said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).
There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.
But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.
This.
I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did.No, nothing is HIPAA restricted like that. That is a myth. HIPAA does NOT undermine security. That's someone who is just lying to you.
perhaps not lieing, but instead put their own opinions into what they believe they are reading, and then put in rules for things they deal with and blame it on HIPAA.
