SMB resources on the move
-
@stacksofplates said in SMB resources on the move:
So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).
There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.
But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.
-
Another massively overlooked factor is that a breach of Amazon would also mean anyone doing so would look like a kid holding a bucket in front of the ocean. Sure he can steal all of the water that he wants, but data is going in faster than he could take it out. Assuming that there was a breach, and that it was not found FOR YEARS you'd still have essentially zero chance that YOUR data would be some of the data downloaded. There is so much data to get, all unidentified, that mostly they'd be getting OS files, cat pictures and such, not valuable data. Some, yes. But whose? And would it be up to date and useful to the attacker? Not likely. Amazon is an essentially useless target.
But we are assuming that someone would breach Amazon (hard) and then continue the breach year after year as they attempt to download all of that data (very, very hard.) No one anywhere has the bandwidth to suck down what Amazon has. So anyone would, at best, be trickling out data.
So for all intents and purpose, there is no universal breach of AWS even possible. Sure, aliens might come down with planetary scale transporters and pull the entire datacenters up somewhere. But no human IT system today could effectively breach Amazon simply because of the scale. It would always be a partial breach, and a very small one at that.
-
The idea that cloud providers provide a high profile, high profit, high risk target comes from an emotional response to the idea that "all the eggs are in one basket." But they are not, not really. And the basket is huge, and the eggs are invisible and the basket is in Ft Knox. And then are a hundred baskets.
It feels really risky. But it really is not. Of course, we need to still apply all of the regular security that we normally would on top of Amazon's security. That goes without saying. Amazon just layers more and more security on top of that.
And remember, if you are encrypting your data, then breaching Amazon doesn't breach you anyway. You still have to be breached additionally. So in most high security cases, even the fear of the low risk of Amazon being breached is effectively unfounded. Even Amazon won't necessary have access to your data.
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).
There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.
But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.
No we are talking about this
The belief that a larger company makes them a larger target, well sure that's true, but just being a little fish doesn't protect them - the tools of hackers are mostly automated today. They don't care if they are stealing $1 or millions, 1 health record or 100 thousand.
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking. This isn't a physical security discussion. That does come into play, but we are approaching from a purely technical side.
-
@scottalanmiller said in SMB resources on the move:
And remember, if you are encrypting your data, then breaching Amazon doesn't breach you anyway. You still have to be breached additionally.
And that's the same with on premise data.
-
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
-
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
And remember, if you are encrypting your data, then breaching Amazon doesn't breach you anyway. You still have to be breached additionally. So in most high security cases, even the fear of the low risk of Amazon being breached is effectively unfounded. Even Amazon won't necessary have access to your data.
And that's the same with on premise data.
Not totally, with on premises they also know whose data they have BEFORE the decrypt it. On AWS, they do not. So not the same. Not totally different, but not totally the same.
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical.
-
@stacksofplates said in SMB resources on the move:
That does come into play, but we are approaching from a purely technical side.
Should not, that will potentially lead to spurious security data.
-
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I
Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I
Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.
But now you're changing what we were talking about. Physical was never mentioned, and it was you that mentioned people using automated scripts for hacking. That's what we are talking about. Physical would not allow people to use their computers outside of the office because of the risk of cached credentials.
-
You're also not taking into account the fact that other people actually control the data. I recently lost my phone that had my 2FA for my Vultr account. I needed 3 pieces of information that gave me complete access to my system again. The keys to your kingdom are either a password, or the help desk guy on the other end.
-
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).
There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.
But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.
This.
I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did. -
Don't get me wrong. I agree that most places should switch to cloud. I'm not arguing that at all. But there are legitimate reasons to not, and that has been said, I just wanted to reiterate.
Plus I like playing devil's advocate.
-
@scottalanmiller said in SMB resources on the move:
like the CIA
Do you really think they have the same caliber talent as Amazon?
-
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
the chances of their data being found and utilized and identified remains close to zero
How is that logical? The hacker isn't going to comb through everything manually. They'll grab everything they can.
Sure, but grabbing gobs and gobs of unidentified data that isn't targeted means that combing through it is very, very hard. Just because they have it doesn't mean that they can identify it, will ever get to it or will attempt to exploit it. Might they? Sure. Has there been a breach? Yes. Is it meaningful? Possibly not.
If you had all of the data from Amazon's AWS.... 99.999999% of it would be useless to you.
Right but the issue with this is, you have no idea that they got it. If you get notifications for access to your system, you know someone got in. If they break into your office, house, whatever and physically steal it you know someone got your stuff. You can start acting on it immediately. If someone has your data and they don't even know they have it, but sell 500 TB to someone and they find it. It might be years before you find out. Sure CC numbers prob won't matter, but IP and confidential info will be a problem.
-
That's why you would treat a breach of Amazon as a loss of control of your data and put the mitigations in place, even if you don't need them, better safe than sorry.
-
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.
Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.
No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I
Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.
But now you're changing what we were talking about. Physical was never mentioned, and it was you that mentioned people using automated scripts for hacking. That's what we are talking about. Physical would not allow people to use their computers outside of the office because of the risk of cached credentials.
What do you mean? We were talking about security, right? Physical is the most important part of security. It was never left out and if we are talking about why one over the other around security, it is always a component. You can't separate it out and look at the picture without it, it becomes misleading.
-
@BBigford said in SMB resources on the move:
@scottalanmiller said in SMB resources on the move:
@stacksofplates said in SMB resources on the move:
So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).
There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.
But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.
This.
I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did.No, nothing is HIPAA restricted like that. That is a myth. HIPAA does NOT undermine security. That's someone who is just lying to you.