I once worked for a client who had a very strong focus on insider threat, and whose entire infrastructure was cloud-based.
-
I once worked for a client who had a very strong focus on insider threat, and whose entire infrastructure was cloud-based.
My team and I wrote them the security plan they needed, but it came with a big, bold-text verison of "you cannot reduce the risk of an evil cloud admin, no matter what you do, because you do not own and cannot control the actual hardware you use for critical operations."
It seems to me that when we're talking about "consumers don't need their own hardware, only a terminal," we are adding the Evil Cloud Admin to individual users' threat model, and that is an incredibly bad idea.
An Evil Cloud Admin can get your secrets; can inject malware; can read your traffic, tamper with it, or use it to train AI. Can just straight up deny you access to the hardware you paid for and then deny you access to turn it back on.
And you, no matter how powerful your company or expensive your lawyers, cannot stop them from doing that.
How much less power does an individual with a terminal that can't do anything by itself have in that situation?
-
I once worked for a client who had a very strong focus on insider threat, and whose entire infrastructure was cloud-based.
My team and I wrote them the security plan they needed, but it came with a big, bold-text verison of "you cannot reduce the risk of an evil cloud admin, no matter what you do, because you do not own and cannot control the actual hardware you use for critical operations."
It seems to me that when we're talking about "consumers don't need their own hardware, only a terminal," we are adding the Evil Cloud Admin to individual users' threat model, and that is an incredibly bad idea.
An Evil Cloud Admin can get your secrets; can inject malware; can read your traffic, tamper with it, or use it to train AI. Can just straight up deny you access to the hardware you paid for and then deny you access to turn it back on.
And you, no matter how powerful your company or expensive your lawyers, cannot stop them from doing that.
How much less power does an individual with a terminal that can't do anything by itself have in that situation?
And, on an internet where we see more and more censorship of completely ordinary and legal things (have you tried looking for information about, say, periods, on Facebook recently?) an Evil Cloud Admin can maybe deny your computer the ability to work on things they don't want.
Or scan the files on your rented storage to find out if you're doing naughty things, and give that to whatever agency they desire.
A gross thought for a Monday morning, but I'm sure other and smarter folks than me are already thinking about it.
I'd like to think about it in company. I do my best work when I can bounce ideas off other people, after all.
-
R relay@relay.infosec.exchange shared this topic
