Well, here was the rub back then and still is today. You as the customer have little to no control over the infrastructure of the cloud provider you are using. As we have seen with the Microsoft MSA signing key fiasco, and a few others, there is some serious technical and security debt in way too many cloud providers. This technical and security debt means that a Threat Thespian group (let’s make that label a thing instead of threat actor), can break into the back end and have an impact on your tenant. In many cases they can impact it regardless of other tools or internal settings you might have.
To give the dead horse one final kick here, this means that if your cloud service provider has any vulnerabilities: software, process, configuration, etc. which a Thespian can exploit, that can, and often does trickle down to you. Even a small organization which might not be on the menu, could potentially move up in the food chain because of the potential access.
So, why does this happen? Short answer: business needs and revenue goals often limit or reduce internal processes, controls, and infrastructure changes need to properly scale security with the current target environment the CSP is in. Yup, that is the short answer.
The longer answer is that as a business moves from the “we want to provide you with the best thing ever” to the business of being in business, they often focus on features and marketing the product in order to keep the lights on and meeting new revenue goals. You end up with a Frankenstein like environment with items bolted on, old environments are connected to with speed and release dates in mind instead of let’s make sure it’s secure. I have seen this in more than one organization. Where the desire to sell to the next client means performance, stability and security updates become secondary. Moving like this and at the speed of business means bad scaling and the cloud environment becomes a ticking time bomb.
Normally, a large company can weather breaches without losing too much in terms of reputation. However, when it is more than one provider across multiple verticals and the combined impacts are significant… well people start to notice. Many begin to feel like their investments in cloud infrastructure or controls are just not worth it. After all some of those services are expensive, in their own right, on top of all of the other items needed for a cybersecurity program in a modern threat environment.
Now let’s add something even more fun for the publicly traded companies. A breach with material impacts which ends up being from a third-party cloud provider is going to hurt, because you still must file it and now everyone knows you were owned because a vendor or partner got owned. The risk calculation spreadsheets begin to look rather complex. For those organizations which are running a hybrid environment, they are already looking at ways to bring things back in-house. For those who are pure cloud they are looking at space, hardware, licensing, and even staff costs vs the higher risk from a single cloud provider incident.
There are already conversations floating around about “how do I bring my systems back on-prem” floating around and I have had conversations around how to efficiently do this with a few. Of course, the fly in the ointment at the moment is Broadcom desperately trying to run VMWare into the ground. This means that many small and medium sized businesses are not going to have the funds to make this move right now. The licensing costs are just too high. Still, they are going to be thinking about it and planning for the move.
In the path of any object thrown into the sky there is an apex, the pull of gravity has overcome the upward momentum, and the object returns back to earth. Given the technical and security debt that exists in many cloud providers today, we may have hit that apex and will see those systems and services return to earth in the next 10-18 months.
Oh… and remember how I talk about using security to drive revenue all the time? This is a place where the right company with the right cybersecurity program and the willingness to show their customers that they care about their tenant and environment security, that they are willing to do what others have stopped doing. Businesses have forgotten their responsibility to take care of their customers and the pushback is only going to grow unless things change and quickly.
Ok. Soapbox put away,… for now.