When you’re discussing technology, it’s easy to look at its merits based on an abstracted view. What I mean is, you can look at its features, costs, and architecture in isolation from the reality of your organization. When this process involves a lot of capital investment, it often requires further analysis that can put a damper on this more idealistic way of viewing it.
The problem we often see with the cloud is that because the barrier to entry is often so low, very often projects are begun with rose-colored glasses still intact. As Keith Townsend points out on this CTO Dose video, the reason we often see large insecurities around unencrypted S3 buckets isn’t due to technical deficiency (other than Amazon made them by default unencrypted for far too long).
Instead the security issue comes down to process and people. Bad security culture could be excused when IT lived within an on-site data center. But when that same culture goes to the cloud, the vulnerabilities seep into consciousness. That’s because technology as a platonic ideal isn’t very useful. It will inevitably go through the company cultural matrix, becoming a reflection of it in the process. Technology can enable better security, but without training to change corporate culture it cannot do so alone.
Keith Townsend comments:
Read more at: Why is public cloud security so hard?