I can't even
-
-
Every single response was unprofessional and filled with intentional FUD to try to make their own insecure, hubris-filled decisions seem justified.
Not one used logic or gave reasons. Just BS misdirection and refusal to think and do their jobs.
-
I'm grabbing my responses before they get nuked. I stand by every one of them.
Sean Wolsey wrote: I refuse to use cloud storage for anything I wouldn't be comfortable posting on Facebook. As an IT contractor, I've seen too many cases of people's "secure" accounts getting hacked and data stolen.This is a dangerous, emotional response. The exact kind of thing that IT professionals are supposed to be fixing from our users. This is what I expect from the owner who doesn't understand technology. IT should be calmly explaining that this isn't how things work and emotional responses have no place when discussing security. Rational, logical thinking and stats always win here.
Anecdotal "evidence" is meaningless. We know that local data is hacked and stolen all the time. The "secure" accounts are just as risky when they are local, too. Cloud is a safer model than local. Thinking local is safe because we control it is the "illusion of control" emotional mistake that, again, IT should be the ones to protect against. Hubris is the enemy of security.
Sean Wolsey wrote: I've also seen cloud service users go completely down just because their Internet connection went down. At least the LAN is still up and you can use your local resources if you host stuff in-house.I see SMBs go down, completely, all the time. Why react to one's failings but ignore the others? Which goes down more often, the SMB's $300 NAS device, or S3's WAN connection?
I feel like media hype is being used to drive decisions here rather than normal decision making. Obviously S3 is safer than anything you can build in house. But if S3 has so much as a blip, it makes the news. So people react emotionally and panic. But IT is supposed to be the bastion against this.
michaelmac wrote: I agree with Sean. Everything at one place like that makes it vulnerable to DDOS attacks...Is this a REAL concern? And everyone is NOT at one place. That's not how the cloud works. How often has this happened? It's actually dramatically harder to DDoS a cloud storage provider than it is to DDoS an SMB.
Have you quantified this cherry picked fear? I know SMBs that have been taken down with DDoS, do you know any cloud providers taken down by DDoS for their storage systems?
This is a case of "mentioning a panic point" and ignoring the overall risk. Obviously cloud storage is safer here. We are just doing a "what if" to make it sound vulnerable.
michaelmac wrote:These huge repositories of data are prime targets for hacking (big payoff for penetration), and have multiple entry points (people people people ...subject to social engineering and phishing).Actually, they are not. The huge mix of unidentifiable data is actually a massive deterent to this. You've mentioned the reason, but gotten the logic backwards, as to why attacks there don't make sense.
michaelmac wrote: No hacker is interested in going after a SMB's database...they want Target or whoever...the big boys.This is mostly true. But SMBs thinking that they need no security and simply following the uneducated masses in a hysteria of "the cloud is risky" with no technical understanding is also what makes hackers know that nearly any SMB is easy pickings and while the payoff might not be as big, they know that the payoff is essentially guaranteed.
Going after Target, or an SMB, is not done by attacking a cloud storage provider. This is simply not the attack vector. So this sounds like it makes sense, because Target is a bigger fish than an SMB, but SMBs can be a route to Target or whomever, and not being on the cloud is what makes you a prime target.
scottbrindley wrote: You have to really dig down into the T&Cs to have a read, plus these are liable to change if the company goes bust or gets taken over. Plus there is the headache of wher in the world your information is permitted. There is lots of due diligence to be done here.That's needed anyway. But that's why all major cloud storage providers have you specify where your data goes as part of the process. This is "no brainer" stuff that is all handled for you. Easy peasy. Yeah, you can't just choose to put it in China if you aren't allowed to. But you are stating this as if it is a real world risk, which obviously it is not. So this is meant to invoke a panic response to make a point. But if we pay attention, the point is only that it is clear you've never used enterprise cloud storage because this isn't a real world concern and not how things work. So you are trying to make your position seem rational by mentioning something that isn't a problem.
Well sure you can get a rental car, but it might have a bomb in it, there is no guarantee that it doesn't, so you'd better drive your own car. Insane? Yup.
scottbrindley wrote: I get the benefits of the cloud when it comes to data , but your explotiable data should remain within the confines of your organisation especially if that information is what makes your organisation unique.This is exactly wrong. Why would you be careless and insecure with your important data? Even the CIA uses cloud to increase security, because they know (and have said) that no organization can match the security of the enterprise cloud players. They are the best, period.
Keeping stuff inside your confines like this stems from hubris and a lack of rational thinking. And those are exactly the points where insecurity starts. The more critical the data, the better we should secure it. The more we should apply logic. The more we should lean towards enterprise cloud storage with better security than we could ever do.
SMB = insecure. If you think that you personally are so amazing and that your company is so unique that it can outperform governments, investment banks, security firms, etc. guess what, you are statistically likely to be the absolutely least secure shop out there. SMBs can't even begin to provide security like clouds. Fortune 100s can barely come close. We need to stop using emotional panic responses about losing our jobs or not being seen as expects as rational for putting our businesses at risk. We are paid as the IT advisors to think rationally and know these things and to fix these kinds of responses from the non-technical people who don't know better. We do know better, we realy have no excuse.
zachkoppolin wrote: Your data is not at risk in the cloud if you don't use the cloud in the first place.That's like saying your house can't be BROKEN into if you never lock the doors. Just leave the doors open, then it's only entering, not breaking and entering. See how that solves the problem?
Anytime we look at "cloud security" instead of "how to secure the company" we are doing so to trigger emotions. Our goal is to protect the business in the best way. So we have to consider the options and as cloud clearly demolishes SMB local storage in security, we should look in that direction for our security needs.
Your data is not at risk from SMB mistakes if SMB people aren't storing it on premises. <-- see how that works?
zachkoppolin wrote: My opinion of the cloud is this, "Do I trust "Bob" at x cloud company to handle my data with the same care that I would?" the answer is no because Bob has ZERO vested interest in my data.... To Bob data is data, does not matter whos data it is, it's just data. Besides my personal hangups about the cloud, I still see monthly articles about cloud providers being breached. So that tells me that security is not top of mind with providers. My data stays local, thank you very much.This is beyond wrong. Bob has WAY more reason to care, because he's paid way more than you to care more (you are an employee somewhere just like him), he's a security expert, and he is watched over and audited way more than you. He has way more on the table and way more to lose than you do.
Bob also has nothing to gain, YOU however, do. You know what the data contains and how to exploit it. The biggest point of risk is you. If your CEO was asked, you and Bob are identical - you both are paid to care (but Bob is paid more) but Bob is audited and overseen and vetted by the FBI and you are not. Bob is paid and tested to be rational and understand this, you are not. Bob has no value to stealing anonymous data, you are a massive risk as you know exactly what data to get and how to sell it and who would want it.
Also, you've admitted that you are making an irrational personal decision not based on security. You know that you are a bad actor putting the compay at risk. Now that you know it, now that you've written down that it is you, not Bob, that is not caring about the security of the data, you know that you must recuse yourself from this decision process as you know you are not thinking in a secure manner.
Monthly articles, as we know, mean nothing. Media hysteria. They mean nothing, you can't work in IT and think that that is a basis for decision making. Utter garbage, this isn't how security decisions are made.
johnwilson19 wrote: The cloud is just someone else's computers, storage, infrastructure sitting somewhere else. Cloud is just the new buzzword for the Internet.Cloud, yes. Cloud computing and cloud storage, no. Real things, not "the Internet." We aren't talking about the "Internet" here. The cloud is not just someone else's computers in the context of this discussion.
Maybe this thinking is why no one seems to even understand how cloud works and why it is more secure? Everyone thinks that this is consumers talking buzz words and not IT people talking about tech?
Every post here shows exactly why the cloud is important... because SMBs have untrained, emotional, dangerous people who will throw their companies under the bus if it suits their purposes. Whether that is keeping data handy to steal it, protecting their jobs from perceived outsourcing risks, or just disregarding the needs of the business to satisfy personal biases. SMBs are dangerous places that tend to contain incredible amounts of hubris combined with the fewest technical resources and the least training. SMBs rarely encourage or enforce careful, rational thinking and often give way to panic, hysteria and emotions over logic and reason.
This thread, the responses here, the things that people have stated and admitted demonstrated exactly why SMBs need to go to the cloud. If your owners, CEOs or managers read what you wrote here - how you refused to follow industry best practices, refused to use logic and rely on emotions alone, lack basic understandings of news reports and statistics, totally disregard real security for person reasons, prioritize personal benefit over the needs of the busines, and try to cover up your own dangerous motivations by attempting to deflect that onto less risky third parties I'd be shocked, hurt and feel betrayed. The IT people that I presume are to be trusted to protect their business, to understand these things, to think rationally about them, to keep businesses from getting caught up in uneducated emotional responses are the very people taking advantage of their trust for personal reasons - abusing the faith put in them because what is best for the business goes against their personal benefits.
I can't believe that not a single, rational, meaningful response to a well thought out article like this was given. I'm ashamed for our industry. This hurts me that everyone who cared to respond here lashed out at something their either didn't understand or fear because it doesn't promote their personal goals. Is this really had bad IT has gotten? The lack of professionalism in SMB IT is exactly why SMB owners should be moving to the cloud, because they need to work with people that they can trust. The risk to the company, is you.
If you feel I've been harsh, in any way whatsoever, I challenge everyone that has posted on this thread... print it out. Call me a jerk. Say that I don't know security. But print this thread out, on paper, ask for a quick fifteen minute security review with your CEO and CFO, or owner. Ask them to read the whole thread. Ask them if you might be acting emotionally, ask them if they aren't concerned with the rational behind your decision making.
Are there reasons to not go to cloud with storage? Of course. Is security one of them? Obviously not, and IT has known this for a long time. Is security the biggest deal in SMB IT? Not at all. Which is why lots of reasons exist to not go to cloud. But this is a discussion on security, and the reasons given here for avoiding best security practice is all that security is being intentionally refused.
I truly challenge every one of you, show what you wrote to your business. Do you feel confident enough in what you wrote to do so? I do. I already showed them what I wrote here, and what you wrote. Do you feel proud in your reaction to a rational, well written article? If not, do you feel maybe you should reconsider how you approach decision making that might not be entirely self serving when it is in the best interests of the company?
I also encourage you to read this article about why you are no different to the business than Bob the cloud guy, you are "the cloud" to the CEO.
https://www.smbitjournal.com/2017/03/all-it-is-external/
So all of that panic about the cloud and trusting other people, that's the panic the CEO already feels about you.
If any of you do this, and your CEO/CFO/owner wants a quick talk with me, I'm offering that now. I'll get on a call to do it. If you are local, I'll stop by. I stand by what I wrote and I will happily explain it to decision makers. I feel confident in my assessments to offer your CEO to read what I wrote, right now. I hope you can all say the same.
I made this video a week or two ago, so none of this was about this thread. But all of it applies. When I write my responses here, I'm not just writing for you to read them, I'm writing for anonymous people to read them, for my boss to read them, for a future interviewer to read them, for your boss to read them. I assume that I will get reviewed, and questioned as to why I hold this position. I intend to be able to defend both my technical stance, and the ethics behind it, to anyone from my administration today, to yours, to one in the future.
If you were writing the same response, other than the obvious casual nature of a public posting amongst peers, to your CEO or owner, would you be comfortable using the same intentional emotional triggers, false stats, open admissions of satisfying personal needs, total misunderstanding of the situation, hubris, disregard for the needs of the business, open ignorance of industry knowledge, attempt to claim that IT staff can't be trusted - to the very person you are putting at risk and represent a risk yourself? If you can't, why would you say it to the public?
-
@scottalanmiller can you give me the TL:DR version?
-
@dustinb3403 said in I can't even:
@scottalanmiller can you give me the TL:DR version?
Is that not the longest post you've ever seen by @scottalanmiller? I blame it on him actually copy/pasting it all.
-
Can I ask some people to jump onto that thread, too? There are complaints that since I pointed out the lack of ethics in the decision making processes of the initial posts that the conversation has died. Basically, I feel this is because the article was good and the only reason to post on it was to try to justify decision making that had not taken it into account. Some more posts to get it going again and not make it a thread of just me pointing out that the initial posts were bad, would be great. Even if they are just "good article, thanks for sharing" kinds of things.
-
@scottalanmiller said in I can't even:
Can I ask some people to jump onto that thread, too? There are complaints that since I pointed out the lack of ethics in the decision making processes of the initial posts that the conversation has died. Basically, I feel this is because the article was good and the only reason to post on it was to try to justify decision making that had not taken it into account. Some more posts to get it going again and not make it a thread of just me pointing out that the initial posts were bad, would be great. Even if they are just "good article, thanks for sharing" kinds of things.
I would if I could log in. I use my LinkedIn account for SW, and it's not transitioning for some reason.
-
@tim_g said in I can't even:
@scottalanmiller said in I can't even:
Can I ask some people to jump onto that thread, too? There are complaints that since I pointed out the lack of ethics in the decision making processes of the initial posts that the conversation has died. Basically, I feel this is because the article was good and the only reason to post on it was to try to justify decision making that had not taken it into account. Some more posts to get it going again and not make it a thread of just me pointing out that the initial posts were bad, would be great. Even if they are just "good article, thanks for sharing" kinds of things.
I would if I could log in. I use my LinkedIn account for SW, and it's not transitioning for some reason.
Fail -
Should I turn off my servers before Hurricane Irma arrives, expecting 4-5 days without power!
Um.. yeah no keep em plugged in and chugging along.. . .
-
@dustinb3403 said in I can't even:
Should I turn off my servers before Hurricane Irma arrives, expecting 4-5 days without power!
Um.. yeah no keep em plugged in and chugging along.. . .
Yeah a planned power-down is always better than a sudden power outage. If you have a web presence, well migrate that to the cloud quick. If your small enough to run your company on 3 servers, you should already be using the cloud. That way, while your physical building is being destroyed, the employees who've evacuated can still get work done via their laptop and internet connection.
-
I love the replies that are like "No.... test your UPS's and see if they work as expected"
Jack asses, at least my response the sarcasm is palpable!
-
@dustinb3403 said in I can't even:
Should I turn off my servers before Hurricane Irma arrives, expecting 4-5 days without power!
Um.. yeah no keep em plugged in and chugging along.. . .
I liked the one response of one dude takes the server and goes X direction and the other dude takes the NAS and goes Y direction. Wouldn't be a terrible thing to do assuming moving it is feasible, and way its being transported won't destroy the equipment. I wonder if they'd take their network equipment as well.
-
@eddiejennings said in I can't even:
@dustinb3403 said in I can't even:
Should I turn off my servers before Hurricane Irma arrives, expecting 4-5 days without power!
Um.. yeah no keep em plugged in and chugging along.. . .
I liked the one response of one dude takes the server and goes X direction and the other dude takes the NAS and goes Y direction. Wouldn't be a terrible thing to do assuming moving it is feasible, and way its being transported won't destroy the equipment. I wonder if they'd take their network equipment as well.
That doesn't make sense, because then if something does happen that poor employee is f***ed by management for "not protecting the equipment" rather than saving his/his families lives.
Have proper offsite backups and f*** the hardware. That is what insurance plans are for.
-
@dustinb3403 said in I can't even:
@eddiejennings said in I can't even:
@dustinb3403 said in I can't even:
Should I turn off my servers before Hurricane Irma arrives, expecting 4-5 days without power!
Um.. yeah no keep em plugged in and chugging along.. . .
I liked the one response of one dude takes the server and goes X direction and the other dude takes the NAS and goes Y direction. Wouldn't be a terrible thing to do assuming moving it is feasible, and way its being transported won't destroy the equipment. I wonder if they'd take their network equipment as well.
That doesn't make sense, because then if something does happen that poor employee is f***ed by management for "not protecting the equipment" rather than saving his/his families lives.
Have proper offsite backups and f*** the hardware. That is what insurance plans are for.
You're operating on the following assumptions.
- You assume there are proper offsite backups.
- You assume there is insurance.
-
@eddiejennings said in I can't even:
@dustinb3403 said in I can't even:
@eddiejennings said in I can't even:
@dustinb3403 said in I can't even:
Should I turn off my servers before Hurricane Irma arrives, expecting 4-5 days without power!
Um.. yeah no keep em plugged in and chugging along.. . .
I liked the one response of one dude takes the server and goes X direction and the other dude takes the NAS and goes Y direction. Wouldn't be a terrible thing to do assuming moving it is feasible, and way its being transported won't destroy the equipment. I wonder if they'd take their network equipment as well.
That doesn't make sense, because then if something does happen that poor employee is fucked by management for "not protecting the equipment" rather than saving his/his families lives.
Have proper offsite backups and f*** the hardware. That is what insurance plans are for.
You're operating on the following assumptions.
- You assume there are proper offsite backups.
- You assume there is insurance.
No I only assume that people do the correct thing and not give a f*** about physical hardware. Planning for disasters such as this is the IT and businesses responsibility when they live/work in these areas.
-
@dustinb3403 said in I can't even:
@eddiejennings said in I can't even:
@dustinb3403 said in I can't even:
@eddiejennings said in I can't even:
@dustinb3403 said in I can't even:
Should I turn off my servers before Hurricane Irma arrives, expecting 4-5 days without power!
Um.. yeah no keep em plugged in and chugging along.. . .
I liked the one response of one dude takes the server and goes X direction and the other dude takes the NAS and goes Y direction. Wouldn't be a terrible thing to do assuming moving it is feasible, and way its being transported won't destroy the equipment. I wonder if they'd take their network equipment as well.
That doesn't make sense, because then if something does happen that poor employee is f***ed by management for "not protecting the equipment" rather than saving his/his families lives.
Have proper offsite backups and fuck the hardware. That is what insurance plans are for.
You're operating on the following assumptions.
- You assume there are proper offsite backups.
- You assume there is insurance.
No I only assume that people do the correct thing and not give a f*** about physical hardware. Planning for disasters such as this is the IT and businesses responsibility when they live/work in these areas.
Yeah I wouldn't want to be responsible for computers and data during a disaster. I would rather be focusing on keeping myself and my family alive. I'd rather be jobless than lose someone's life or be divorced.
-
What does this company do if there's a fire and they lose everything? Are they hoping the owners took the servers home with them? The whole conversation is ridiculous.
-
https://community.spiceworks.com/topic/2054582-raid-0-failure?source=superfeed
"I haz RAID 0 failure.... am I boned???"
("15 years in IT" he says....)
"...but I put the Exchange server on RAID 0 because reasons!!!"
-
@rojoloco hahah....
-
Ouch, RAID5 on production server, RAID0 on replication target, and no backups. This guy is so screwed...
