October 29, 2024 at 7:10 pm
One of the shortest articles I have ever seen...
"Comments posted to this topic are about the item The Cloud Security Problem, which is is not currently available on the site."
October 29, 2024 at 9:22 pm
Lol, the thread is created before the editorial publishes.
October 30, 2024 at 12:00 am
Comments posted to this topic are about the item The Cloud Security Problem
October 30, 2024 at 7:32 am
AWS caught the flak for customers misconfiguring S3 buckets and misunderstanding bucket ACLs. AWS's approach was to deprecate the ACL approach in favour of more easily understood policy document approach and having buckets more secure by default. If you want to open up a bucket for public access then you have to grant this explicitly.
I feel that, whereas the fundamentals of security are straight forward, it is a specialist area with traps for the inexperienced. Security is an area where defenders have to win every time but attackers only need win the once. It is also a fast moving world. Some of the standard practises and facilities of a couple of years ago have been superseded and even deprecated in some products.
A couple of years ago we had AWS credentials stored in GitHub secrets. These were available to workflows but not visible and could not be echoed out into logs. These days authentication is done using OIDC so we don't need store AWS credentials in the GitHub secret store.
October 30, 2024 at 3:15 pm
Secure by default makes more sense. I do think Snowflake could do a better job of being secure by default, though I also think some of these customers have to share some blame as well. It's he 2020s, we should be thinking secure by default when we set something up.
October 31, 2024 at 5:11 pm
The fun thing with cloud data is that if you don't get it locked down before allowing users in, they get mad when you stop letting them login from their home computer or their phone or any other insecure method and complain to their management. Fortunately, in my world at least, the management understands the risks of openly accessible data, especially when it's proprietary. Users don't think anyone will ever figure out the 6 character password they use.
I try to push use of Active Directory, or Entra or whatever, wherever possible, as that's far harder to break.
October 31, 2024 at 5:30 pm
It's good if you have SSO and can set access.
Internally, even if we use Sharepoint or OneDrive, it defaults to access for just me (or folder permissions). I have to manually set to "everyone in Redgate" or specific people. Feels annoying, but if I created something with sensitive data, I wouldn't want the everyone default.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply