Comment Re:Don't roll your own (Score 2) 91
> But the cloud doesn't help them, they still implement bad practices, just on cloud services.
Yes, but making sure that the web app that they're using, that has a dependency on log4j (Or whatever the next thing is that's got a bug in it is) is appropriately updated is no longer the customer's responsibility. So many organisations don't even get basic patching right.
> Soft on the inside is a fast path to disaster, but based on my experience with some teams dealing with cloud instances, the difference is now it's just soft everywhere.
Yep, and that's what why I said earlier about whether people have the money to implement appropriate security, also there's apathy (They don't care) or ignorance (They don't know that there's an issue, that it's a possibility, or that it should be done).
I'm not saying it's right, but if you see how ransomware attacks and other things are happening and what the security is within most organisations (Where they're not taking the most basic of security steps, like turning off macros and not using Acrobat / keeping it updated, or having open access to S3 buckets), then this becomes the general reality for the industry.
I also see use cases for some businesses being able to use the elastic nature of cloud to be able to do scale out for a couple of months of the year when they bring in a bunch of extra staff without having to own all the infrastructure the entire time.