Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket

[jagdtigger]

Summary

 

Microsoft had a misconfigured buckets in Azure which was picked up by the company publishing this article. These buckets stored a lot of sensitive information like internal comments for customers, various types of documents, emails, etc. Microsoft confirmed the leak in a blogpost, but doesnt go into specifics exactly what leaked.

 

Quotes

Quote

SOCRadar’s built-in Cloud Security Module monitors public buckets to detect any information exposure of customer data. Among many discovered public buckets, six large ones contained information for more than 150,000 companies in 123 different countries. The leaks are collectively dubbed BlueBleed by SOCRadar to better track the intelligence around it. While this article covers the largest one of the BlueBleed leaks (BlueBleed Part I), we will publish our analysis for other buckets owned by different organizations as we complete our investigation on them.

Read our second blog post about BlueBleed to learn more about this leak.

Quote

Kevin Beaumont, a well-known cybersecurity researcher, tweeted on October 20 that “The Microsoft bucket has been publicly indexed for months” and “it was publicly readable. It’s even in search engines.” 

My thoughts

Honestly speaking im very surprised this hasnt blown up yet. Pretty much a case where calling it "disaster" might be an understatement. As usual MS handling this the worst possible way and dont tell any specifics, not even to affected customers opening tickets. Its pretty alarming that this was not noticed by anyone at MS for freakin months....

 

Sources

https://socradar.io/sensitive-data-of-65000-entities-in-111-countries-leaked-due-to-a-single-misconfigured-data-bucket/?utm_campaign=BlueBleed&utm_source=Labs&utm_medium=Whatisbluebleed

https://socradar.io/details-on-the-largest-b2b-leak-bluebleed/

https://msrc-blog.microsoft.com/2022/10/19/investigation-regarding-misconfigured-microsoft-storage-location-2/

[Doobeedoo]

The not noticed for months part though...

[LAwLz]

Before the inevitable "this is why I don't use the cloud" comments start rolling in, pleased remember that these types of mistakes happens all the time in self hosted content. 

 

If security professionals and Azure experts sometime messes up when configuring these things for hundreds of customers, just imagine all the mistakes your average sysadmin makes.

It's just that you don't hear about it because "random company with 100 employee gets hacked" isn't as big of a news story as when it happens. 

 

It's like commenting on an article about a plane crash saying "this is why I always take the car". It's missing the big picture. 

[yolosnail]

16 minutes ago, LAwLz said:

It's like commenting on an article about a plane crash saying "this is why I always take the car". It's dumb and missing the big picture. 

Of course you miss the big picture from the car, you can only see it from the sky!

[wanderingfool2]

37 minutes ago, LAwLz said:

Before the inevitable "this is why I don't use the cloud" comments start rolling in, pleased remember that these types of mistakes happens all the time in self hosted content. 

Mistakes do happen on local stuff as well, but adding things into the cloud adds an extra layer where something can go wrong (as now you are expecting to be able to access the resource from outside of your network).

 

Like to an extent it means doing more configurations as well, which means you are more likely to accidentally misconfigure it.

[jagdtigger]

46 minutes ago, LAwLz said:

Before the inevitable "this is why I don't use the cloud" comments start rolling in, pleased remember that these types of mistakes happens all the time in self hosted content. 

Yes it can happen, but unlike the cloud most of the self hosted stuff is not publicly available.....

[Beerzerker]

36 minutes ago, LAwLz said:

1: Before the inevitable "this is why I don't use the cloud" comments start rolling in, pleased remember that these types of mistakes happens all the time in self hosted content. 

 

2: If security professionals and Azure experts sometime messes up when configuring these things for hundreds of customers, just imagine all the mistakes your average sysadmin makes.

It's just that you don't hear about it because "random company with 100 employee gets hacked" isn't as big of a news story as when it happens. 

 

3: It's like commenting on an article about a plane crash saying "this is why I always take the car". It's dumb and missing the big picture. 

1: At the same time, stating the obvious about no one or nothing is perfect doesn't justify it (The "Cloud") either - It is what it is.
I do not and will not use it and that suits me and my situation - Good enough since I don't have to even justify that choice to anyone but myself.

 

2: I've seen it for myself and you can also think of it this way.... Whether it's 1-10-100 or however many, it's no longer a random company and you're no longer a random number if it happens to be you and your company that gets hacked - Kinda hits home TBH.

3: I don't really like flying because (To me) it's just a PITA hassle - I'd rather drive then deal with all that.

[Motifator]

4 minutes ago, Beerzerker said:

3: I don't really like flying because (To me) it's just a PITA hassle - I'd rather drive then deal with all that.

Title should mention cloud...

as for car vs plane, plane can be like 15 minutes compared to a road you will drive hours. The routing, the speed, etc... it can be a lot less to deal with.

Maybe you own a really high end executive car but even then, it's still not the same solution. I can understand not liking to be stuck in a chamber of compressed air, however, the plane that is. If you can take the train, it's superior to both of them. You can sleep in the train, it will go fast and it won't be stopped by traffic.

[Beerzerker]

29 minutes ago, Motifator said:

Title should mention cloud...

as for car vs plane, plane can be like 15 minutes compared to a road you will drive hours. The routing, the speed, etc... it can be a lot less to deal with.

Maybe you own a really high end executive car but even then, it's still not the same solution. I can understand not liking to be stuck in a chamber of compressed air, however, the plane that is. If you can take the train, it's superior to both of them. You can sleep in the train, it will go fast and it won't be stopped by traffic.

It's not the plane or flying itself - It's all the other BS, layovers/delays/Hey - where TF is my luggage??/"Come with me sir - You've been randomly selected"/ that bugs hell out of me and I'd just rather drive it.
I get there on my own terms without all the hassles, even if it takes more time to do so.

And that's good enough on my part - We're kinda drifting off topic here.

[LAwLz]

56 minutes ago, wanderingfool2 said:

Mistakes do happen on local stuff as well, but adding things into the cloud adds an extra layer where something can go wrong (as now you are expecting to be able to access the resource from outside of your network).

 

Like to an extent it means doing more configurations as well, which means you are more likely to accidentally misconfigure it.

53 minutes ago, jagdtigger said:

Yes it can happen, but unlike the cloud most of the self hosted stuff is not publicly available.....

1) If you think that companies don't have a ton of resources that are intentionally exposed to the Internet then you are very mistaken.

2) You are both assuming mistakes doesn't happen that do expose things to the Internet by mistake.

 

 

Before we go any further with this conversation I think I should add that I work as a consultant and help a lot of customers with on-prem servers (design, implementation and upkeep), and the company I work for also provide services such as hosted object storage. I have years of professional experience with both sides of the argument.

I think it's worth mentioning both to point out that I am not some self learned hobbyist that look at things from some home-labb POV or has a low tier IT job, but also because it might be seen as a conflict of interest. 

 

 

 

57 minutes ago, Beerzerker said:

1: At the same time, stating the obvious about no one or nothing is perfect doesn't justify it (The "Cloud") either - It is what it is.
I do not and will not use it and that suits me and my situation - Good enough since I don't have to even justify that choice to anyone but myself.

I don't understand what you mean. My point is that the risks are probably lower when using services that are configured and managed by people who spend all their time doing it, rather than some inexperienced person who thinks they know what they are doing configuring things.

If anything, you're the one who seems to be making the "nobody is perfect so therefore it doesn't matter" argument. My argument is "just because the solution that has a 1% risk of fucking up happened to fuck up does not mean the solution that has a 10% chance of fucking up is more secure, even if the news article is about the former occurring". 

 

 

1 hour ago, Beerzerker said:

2: I've seen it for myself and you can also think of it this way.... Whether it's 1-10-100 or however many, it's no longer a random company and you're no longer a random number if it happens to be you and your company that gets hacked - Kinda hits home TBH.

Again, I don't understand what you mean. 

My point is that one big fucking from one big company gets a lot more exposure than lots of fuckups from many small companies. As a result, we can not trust our general intuition about the risks. It's like with flying. Flying is safer than driving, yet people are more scared of flying.

If a plane crashes, we definitely hear about it. Every single crash gets a ton of coverage. They are almost 18.000 car crashes every day in the US alone, and we don't really hear about any of them. As a result, we have this strange situation where the news highlight more plane crashes than car crashes and as a result our perception is completely warped.

Same with these data breaches. These really big data breaches from cloud providers happens a couple of times a year and we hear a ton about it every time it happens. Meanwhile, there are tens of thousands of small data breaches happening on on-prem servers every day that we never hear about.

 

Being for on-prem servers because of "security" is like saying "no thanks, I don't want a 1% risk of being hacked. I'll rather do it myself and have a 5% risk of being hacked".

For some reason humans seem to tend to be more okay with bad things if they are caused by our own decisions, to the point where we are willing to take larger risks just to keep control over our own destiny. It's an incredibly stupid attitude to have yet I feel like everyone is guilty of it to a certain degree.

 

 

 

1 hour ago, Beerzerker said:

3: I don't really like flying because (To me) it's just a PITA hassle - I'd rather drive then deal with all that.

Do you understand what an analogy is?

[jagdtigger]

17 minutes ago, LAwLz said:

If you think that companies don't have a ton of resources that are intentionally exposed to the Internet then you are very mistaken.

We were speaking about silly mistakes not straight up stupidity, exposing any resource like this leak is straight up stupidity..... This is exactly the kind of thing that should remain on-prem and locked down so outsiders cannot access it.

[Kisai]

5 hours ago, jagdtigger said:

 

Honestly speaking im very surprised this hasnt blown up yet. Pretty much a case where calling it "disaster" might be an understatement. As usual MS handling this the worst possible way and dont tell any specifics, not even to affected customers opening tickets. Its pretty alarming that this was not noticed by anyone at MS for freakin months....

 

It's more likely they knew about it and did nothing. "above my paygrade" type of management nonsense.

 

I encounter that in every place I've ever worked. Union, non-union, contract, subcontracted, freelance, etc.

 

You will eventually hit a wall where people want things to "just work" and that's how we get into "oh just run it in admin", thus defeating the point of the security existing at all. The last client I did work for, billions of dollars projects, all in cloud stuff.

 

Like no, please big corps, stop putting things in the cloud that are your core businesses. If you're not willing to operate a WAN to keep your business data within your business, with your own IT people, you will likely not be in business very long when someone screws up. 

 

This is not Microsoft's first big screw up either. Remember https://www.theverge.com/2022/3/22/22991409/lapsus-microsoft-security-windows-source-code , it wouldn't surprise me if this is how the hack was pulled off too.

 

 

[Beerzerker]

1 hour ago, LAwLz said:

I don't understand what you mean. My point is that the risks are probably lower when using services that are configured and managed by people who spend all their time doing it, rather than some inexperienced person who thinks they know what they are doing configuring things.

If anything, you're the one who seems to be making the "nobody is perfect so therefore it doesn't matter" argument.

 In truth there is nothing to argue about - I decide, it's either done or not done and that's it; Regardless of all the who's, what's, how's and why's about it, that's my choice - The end. 
All I did was to say "Why" I chose not to but I guess for some, that's just not good enough.

1 hour ago, LAwLz said:

 

My argument is "just because the solution that has a 1% risk of fucking up happened to fuck up does not mean the solution that has a 10% chance of fucking up is more secure, even if the news article is about the former occurring". 

Not arguing about that or about any percentage - In fact that's not even a factor here.
Not going to use it no matter what percentages get thrown around.
 

1 hour ago, LAwLz said:

Being for on-prem servers because of "security" is like saying "no thanks, I don't want a 1% risk of being hacked. I'll rather do it myself and have a 5% risk of being hacked".

For some reason humans seem to tend to be more okay with bad things if they are caused by our own decisions, to the point where we are willing to take larger risks just to keep control over our own destiny. It's an incredibly stupid attitude to have yet I feel like everyone is guilty of it to a certain degree.

 

And trying to convince me my choice is a bad one isn't going to work because I already know if your info is never "Out There" in the first place, that's probrably the most secure situation you can have.
I already know the cloud IS the internet itself.
Goes right back to something I referred to over at TPU recently about such things.
I'll post the jist of it here so maybe you can understand.

From my post over at TPU:
"All this hackery reminds me of the thing my last employer had as a "Benefit" in that they wanted us to use one of these online "Personal Info" security services like "LifeLock" as an example for our personal data.
They were insisting so much on us using it you actually had to sign a waiver for it NOT to be done every year and that's exactly what I did every year.
I would sign the waiver saying "Don't do it" and not worry about it until the next time to do it came around.

Not very long after I had left the company (Retired/Disabled), the very same service got hacked and a shitload of personal data was stolen, including from employees where I was at.....
But not mine since it was never in their database in the first place as intended by me.

Best protection you can have is for your info to not be "Out there" period but that's not really 100% possible anymore is it?
No.
I get that but at the same time minimizing what's out there CAN help, like it did in my case."

[leadeater]

14 hours ago, LAwLz said:

You are both assuming mistakes doesn't happen that do expose things to the Internet by mistake.

Depends, these data buckets are typically a replacement for an SMB share and while it's common someone might screw up the NTFS permissions that doesn't expose it to the internet. If the data is to be internet accessible then it's either via VPN or SFTP/HTTPS etc and requires a bit more configuration to setup and would be getting tested by the receiving/requesting party and would notice rather quick it's not the data they want.

 

Publicly accessible S3 data buckets unfortunately have a slightly higher risk profile than a traditional on-prem NAS. Of course since S3 buckets themselves are very different and "modern" they tend to actually get used where they are most suitable and fit for purpose. It's not every day someone internally comes asking specifically for an S3 bucket and almost always an S3 bucket could not be utilized at all.

 

But we have local NAS and local S3 bucket capability and for bulk data we'd much prefer the S3 storage platform gets used but it's just been exceedingly hard to find suitable uses cases. Next year we're looking to extend it's capabilities out to SMB/NFS gateway/endpoints as it's less than half the cost of Netapp $/GB.

 

Cloud vs on-prem is a lot more complicated thing to assess, really these discussions tend revolve around these S3 data buckets and email etc. It's not like IaaS and PaaS are publicly accessible by default because they are not, and never need to be if that is not a requirement.

[wanderingfool2]

12 hours ago, LAwLz said:

2) You are both assuming mistakes doesn't happen that do expose things to the Internet by mistake.

Way to completely take what I said and not actually comprehend it.  This comment is like, lets ignore the entire first sentence where I said "Mistakes do happen on local stuff".

 

12 hours ago, LAwLz said:

Before we go any further with this conversation I think I should add that I work as a consultant and help a lot of customers with on-prem servers (design, implementation and upkeep), and the company I work for also provide services such as hosted object storage. I have years of professional experience with both sides of the argument.

I think it's worth mentioning both to point out that I am not some self learned hobbyist that look at things from some home-labb POV or has a low tier IT job, but also because it might be seen as a conflict of interest. 

And I've worked as a system admin, where also had to pull double duties as a network admin for a smaller company...and guess what, I had to point out to the service provider who had his CCIE that he literally forgot to implement the DMZ on our web-servers (and got a snoot response that I was wrong, before I showed it wasn't implemented and got a response that the server wasn't a risk anyways).  I've seen educated people who literally make bone-head moves, or had zero sense of the concept of points of failure.

 

The point I made is super valid.  It adds an extra point of failure, and extra configuration that can be messed up.  If I wanted lets say an SMB server accessible available, cloud you have to deal with a lot more stuff...with local it's simple as spinning up the SMB server and it won't be inherently public facing.  Want it shared between locations, well at that stage you likely already have VPN's in place for that.

[LAwLz]

2 hours ago, leadeater said:

Depends, these data buckets are typically a replacement for an SMB share

In my experience, Azure blob storage is not used as an SMB share replacement. From my experience, they are mostly used by SaaS applications (like for example some Azure service, or maybe backing up Microsoft 365 data) or for data lakes. Neither of those things are suitable to do on an SMB share.

 

2 hours ago, leadeater said:

and while it's common someone might screw up the NTFS permissions that doesn't expose it to the internet.

I just did a very quick search and found over 1,7 million Internet exposed SMB shares. 

Yes, exposing SMB to the Internet is stupid and often requires quite a bit of a fuckup, and yet over 1,7 million people are doing just that right now.

But I was not specifically talking about file storage here but rather XaaS in general. Hell, I've seen news about email services being targeted and people saying "this is why we run our Exchange on-prem", even though on-prem is usually way more vulnerable. I am talking about the people like earlier in this thread where someone said they do not care about the risks or benefits vs drawbacks of using a certain tool over another. They refuse to use a certain tool on principle.

 

 

2 hours ago, leadeater said:

Publicly accessible S3 data buckets unfortunately have a slightly higher risk profile than a traditional on-prem NAS. Of course since S3 buckets themselves are very different and "modern" they tend to actually get used where they are most suitable and fit for purpose. It's not every day someone internally comes asking specifically for an S3 bucket and almost always an S3 bucket could not be utilized at all.

Depends on what you compare it to.

Compared to an SMB share on a NAS? Yes. But that is not, from my experience, what these services are replacing.

Use the right tool for the right job. The problem is that for some reason some people refuse to use a certain tool because they don't fully understand what they are talking about. 

If we compare an email service like O365 vs an on-prem Exchange server, would you still say the cloud version is a higher risk?

What if we are talking about backup of O365 data?

What if we need some type of federation service? 

Or any other service that inherently needs to carry data over the Internet. There are a ton of services like that.

 

 

 

1 hour ago, wanderingfool2 said:

And I've worked as a system admin, where also had to pull double duties as a network admin for a smaller company...and guess what, I had to point out to the service provider who had his CCIE that he literally forgot to implement the DMZ on our web-servers (and got a snoot response that I was wrong, before I showed it wasn't implemented and got a response that the server wasn't a risk anyways).  I've seen educated people who literally make bone-head moves, or had zero sense of the concept of points of failure.

My guess is that you didn't comprehend the situation and that you are drastically overestimating your abilities. Those are the type of people I often have the most issues with. Know too much to have confidence and try things, but knows too little to do things properly. 

Maybe I am wrong but that is my first guess.

 

1 hour ago, wanderingfool2 said:

The point I made is super valid.  It adds an extra point of failure, and extra configuration that can be messed up.  If I wanted lets say an SMB server accessible available, cloud you have to deal with a lot more stuff...with local it's simple as spinning up the SMB server and it won't be inherently public facing.  Want it shared between locations, well at that stage you likely already have VPN's in place for that.

Now you are just parroting what you heard leadeater say.

We are not talking about replacing SMB shares with object storage here. I seriously doubt this was an SMB share that happened to have 65000 customers on it. My guess is that it was some data lake that was exposed. The data on these servers probably requires being accessible, or at the very least transferred over the Internet at some point. It is not comparable to putting some Synology NAS on a network.

 

Depending on how your network is structured, it isn't as simple as just "spinning up the SMB server". You most likely need some access rules somewhere (unless your network is flat which in itself has a ton of potential security issues). Your server probably isn't public facing by default, but chances are it won't be accessible by users by default either. You need some config.

[leadeater]

7 hours ago, LAwLz said:

In my experience, Azure blob storage is not used as an SMB share replacement. From my experience, they are mostly used by SaaS applications (like for example some Azure service, or maybe backing up Microsoft 365 data) or for data lakes. Neither of those things are suitable to do on an SMB share.

Yep, and they are also good for archive data that isn't accessed much or needs to be shared. Although most of the cross org shared data is in SharePoint Online or OneDrive and shared that way but there has been a couple of times where S3 bucket was better for other reasons.

 

Pre-Cloud we'd have to put this on SMB and then publish out via SFTP/HTTPS.

 

7 hours ago, LAwLz said:

I just did a very quick search and found over 1,7 million Internet exposed SMB shares. 

Yes, exposing SMB to the Internet is stupid and often requires quite a bit of a fuckup, and yet over 1,7 million people are doing just that right now.

That's pretty meaningless without other contextual data though. There are 26 million sheep in New Zealand 

 

7 hours ago, LAwLz said:

Compared to an SMB share on a NAS? Yes. But that is not, from my experience, what these services are replacing.

A lot of S3 bucket data breaches have just be document repositories, there isn't a lot of reasons these have to be S3 other than SMB in the cloud is vastly more expensive service offering cost which basically pushes people to use the cheaper service i.e. S3 data bucket. Kind of doesn't really matter though, not here for this discussion really.

[jagdtigger]

6 hours ago, leadeater said:

Pre-Cloud we'd have to put this on SMB and then publish out via SFTP/HTTPS.

(Great, some nutjob scripts rewrites my link to some ddgo link that doesnt work. GG.)

[wanderingfool2]

7 hours ago, LAwLz said:

My guess is that you didn't comprehend the situation and that you are drastically overestimating your abilities. Those are the type of people I often have the most issues with. Know too much to have confidence and try things, but knows too little to do things properly. 

Maybe I am wrong but that is my first guess.

That's just the condescending stuck up attitude that the CCIE gave me, because I'm not "educated", that I don't know better.  Trying to use the position of power/education to convince my bosses they did their job correctly (because I told the to withhold payment until they fixed the deficiencies).  Even someone with minor knowledge can tell you that a webserver should never run without any firewall rules separating it.

 

The second CCNA/tech (during same project), had forgotten they "temporarily" configured the switch to take WAN connection (so the switch was an added point of failure), same tech also only setup one port to the heartbeat for the failover cluster (the server had additional ports) and I kid you not his justification was that there wasn't a single point of failure because each server had that port connected a different switch...when in reality it meant a single switch failure meant a headache as the server would think the other failed [at that point is when we fired him, but not after having to demo the issue by causing a failover by pulling out a single cable].  The proper configuration allowed for switch failures, and router resets [Again, kid you not, the CCIE had both switches, and the router as single point of failures of which they again tried justifying it away by stating I'm don't have a CCNA/CCIE and don't know what I'm talking about.  Only thing that saved my job at that time was that I went and pulled a single cable connected to the heartbeat port and showed the failover cluster doing it's thing while both servers were healthy.  After that I was allowed to redo the wiring and configuration, inspected after the fact by an outside party, and we had no failover events even when the router was replace or the switch was replaced]

 

I might not be formally educated, or have my certificates and I have recognize I have gaps in my knowledge but I know enough to know when things are wrong.

 

8 hours ago, LAwLz said:

Now you are just parroting what you heard leadeater say.

We are not talking about replacing SMB shares with object storage here. I seriously doubt this was an SMB share that happened to have 65000 customers on it. My guess is that it was some data lake that was exposed. The data on these servers probably requires being accessible, or at the very least transferred over the Internet at some point. It is not comparable to putting some Synology NAS on a network.

 

Depending on how your network is structured, it isn't as simple as just "spinning up the SMB server". You most likely need some access rules somewhere (unless your network is flat which in itself has a ton of potential security issues). Your server probably isn't public facing by default, but chances are it won't be accessible by users by default either. You need some config.

Not parroting, my original post was going to mention SMB but I didn't have time to write it.

 

Your whole post I was responding to screamed of the "cloud is better" "cloud is safer" because it's run by "professionals" argument.  Trying to justify misconfigurations that misconfigurations happen locally as well.  My simple point is that cloud computing isn't necessarily safer, and that you are adding in extra layers where people can mess up (and compromise data).

[leadeater]

1 hour ago, jagdtigger said:

Well how else do you suggest externally sharing data? IPoAC? lol

 

SFTP and HTTPS are both perfectly secure, otherwise get off the internet entirely hahaha

 

I'm also curious as to how you think websites even work at all, take away SMB/NFS and well... not getting very far trying to store documents and images beyond a single no HA webserver.

[leadeater]

1 hour ago, wanderingfool2 said:

My simple point is that cloud computing isn't necessarily safer, and that you are adding in extra layers where people can mess up (and compromise data).

Which is a legitimate concern and is placed on evaluation criteria and often risk registers. Cloud platforms as a whole require you to give up certain levels on control, without giving up the responsibility and the risk.

 

You cannot outsource risk and no contract and/or service terms transfers risk and outside of extreme circumstances liability.

 

Such is why there is legislation here for where certain types of data can be stored.

 

Another factor in this is that "you" do not matter, only the service does. If there is an outage or some other kind of problem then specifically you/company do not matter, no matter how much you are impacted that will have no bearing of how you are treated, the information on the fault or anything. Hard lesson many have learned.

[jagdtigger]

45 minutes ago, leadeater said:

Well how else do you suggest externally sharing data? IPoAC? lol

If its anything business related the only way to go is VPN.

[wanderingfool2]

27 minutes ago, leadeater said:

Well how else do you suggest externally sharing data? Pigeon? lol

 

SFTP and HTTPS are both perfectly secure, otherwise get off the internet entirely hahaha

Really, pigeon...thought you knew better, that was so medieval time.  Data is delivered inside coconuts carried via swallows...African Swallows to be precise not European Swallows.  I thought this was common knowledge /s

 

On a serious note, I think a lot of people hear SFTP and drop the S in their mind then think back to when FTP passwords were shared plaintext and glossing over the secure which the S stands for.

 

I agree though, perfectly secure.  As long as the software is kept up to date and not using some of the deprecated stuff like SSL 3.0...but even then you would have to be subject to a targeted attack realistically.

 

1 minute ago, leadeater said:

Another factor in this is that "you" do not matter, only the service does. If there is an outage or some other kind of problem then specifically you/company do not matter, no matter how much you are impacted that will have no bearing of how you are treated, the information on the fault or anything. Hard lesson many have learned.

I know that feeling.  Even without cloud, services providers still do that (co-location had primary internet cut out, I went to visit the site as I noticed the temps rising on the servers only to find absolutely no access because the doors access controls were controlled by the same connection that was cut).  An AC unit used for the blew at the same time, which turned out to be why the temps increased...still 8 hours of not being able to access the data center [they only cared about protecting their own equipment first].

 

10 minutes ago, leadeater said:

Which is a legitimate concern and is placed on evaluation criteria and often risk registers. Cloud platforms as a whole require you to give up certain levels on control, without giving up the responsibility and the risk.

 

You cannot outsource risk and no contract and/or service terms transfers risk and outside of extreme circumstances liability.

Yea I agree.  Ultimately everything in IT is pretty much a balancing act.  The caviet is that if the contract is written right, you can outsource the liability (and depending on what it is risk).  The only real example I can think of is PCI compliance and contracting out to a P2PE provider.  It's the difference from having to be SAQ-B /P2PE vs SAQ merchant, where the merchant version is a lot more rigid.  With the P2PE providers, I kind of view as a cloud provider although it's maybe a borderline if you call it that.  In this case though it really is outsourcing the risk and liability.  Although admittedly this is an exception to the rule.