Comment by count
6 years ago
Except they get audited by 3rd parties on statements like that, and have controls tested. It's not like they're just ... digital ocean or somebody.
6 years ago
Except they get audited by 3rd parties on statements like that, and have controls tested. It's not like they're just ... digital ocean or somebody.
Do you have evidence of this claim re DO?
I worked with a DO on an technical issue, and they were steadfastly against me granting them temporary access to our servers even though it would have made the issue easier to diagnose. Cloud provider that verifiably get caught doing this will quickly lose the trust of all their large customers
DO doesn't have a great track record for customer trust. I run personal workload but couldn't recommend it over AWS to a larger company.
Sales != Engineering (in regards to the first one), AWS have had similar issues. The second one wasn't good.
https://www.zdnet.com/article/aws-error-exposed-godaddy-serv...
1 reply →
Reading through that second one, while the inciting incident was certainly pretty bad, their eventual response was, to my mind, all that could be hoped from a company in this day and age:
https://www.digitalocean.com/blog/an-update-on-last-weeks-cu...?
They recognized that their processes were too mechanistic and inhuman, and introduced a lot more compassion and open communication into them—and even chose to spend more money on hiring people to reduce ticket queue wait times.
I'd say that speaks volumes in DigitalOcean's favour.
The audits check that controls are in place, not that the controls are technically bulletproof or people-proof.
Source: Worked at AWS for several years including working on systems that had audit requirements for [secret project where I could not know the name of the customer because I don't have TOP SECRET security clearance].
Nobody said things were perfect or bullet proof. But that they are there, and it's not just 'trust us'. And it's not just single technical controls - the control regimes include mitigations against technical failure and requirements for ways to catch collusion and actions taken outside of authority.
And there are lots of things that many folks at the big cloud providers don't know about their internal threat management and monitoring. Source: Audited most of them for that customer you weren't allowed to know the name of. :)