> PS: I am not saying security team are assholes, I am pointing out a major barrier to competition.

> Here is an experiment - tell your employer you will be hosting on (insert no-name provider here), to same a literal million dollars, and see if you can get security team to sign off on it.

???

So what does this have to do with the security team at all? There is no "barrier" in that sense.

In the past we've had more non-cloud engineers than cloud. Using your experiment, if you told your IT team you wanted to move to the cloud (back then) to save a million dollars - do you think they'd sign off on it? No.

Who signed off on it? The bosses that believed in the "hype".

Who's in control and who has power? If the bosses want it to happen it will even if it doesn't make sense. They have the ability to fire the security team if they said no. Just like how ethical AI teams get fired...

The barrier is those in power still believe in the "hype" and don't know otherwise.

I met a CTO of a startup sometime ago that moved their entire operations from GCP to AWS because they were "more familiar with it". That's all.

> I met a CTO of a startup sometime ago that moved their entire operations from GCP to AWS because they were "more familiar with it". That's all.

Without knowing which startup you are referring to its hard to make a judgement as to the quality of the decision but you should not discount the role tooling familiarity has when developing software.

> but you should not discount the role tooling familiarity has when developing software.

No 1 was familiar with the cloud when it 1st came out.

As to this scenario, clearly the whole company was running GCP so everyone minus the new CTO would be familiar with GCP vs something else.

Point exactly being that regardless of the security team or the developers - this familiarity that you mention or any other trait only applies to a select few in management.

No one ever got fired for buying AWS

Fired? No. Laid off when the business went bust? Yep.

Or the spend on AWS got out of control and they needed to save money. Looking at you Sony Interactive Entertainment...

100x better for you, but how much work are you causing to the security team that you're not counting?

Anyways, big corps aren't the only player. There's plenty of SMEs that don't care the slightest about using only the big clouds.

> Here is an experiment - tell your employer you will be hosting on (insert no-name provider here), to same a literal million dollars, and see if you can get security team to sign off on it.

SOCS/PCI/etc is going to take maybe $100-200k. If you can save a million dollars you should do it. Hire an expert if you have to. Serious.

I think it probably won't save you a million dollars, because I think all of the cloud vendors are priced with just enough profit to make sure of it, but if you know something I'd like to know about it.

Speaking as someone who went through this process at a large financial firm, you're off by at least an order of magnitude. You need a SOC1 audit of each product you plan to use, which is likely quite a few if you want to take full advantage. The big players should eventually be able to offer that for free once they've been through the process but, at least relatively recently, it was only true today if your cloud budget was tend of millions. That aside, you'll still need an audit of your usage of the cloud (i.e. how you deploy to it and handle movement of data back and forth). That'll always be on your dime.

No. At the end of the day, the customer pays, because I charge more for bullshit. They need an SOC to use my cloud product it cost me 150k USD to get an audit from a big-four for a single site in 2016. Maybe it’s a little more today, but it’s not an order-of-magnitude.

I’m assuming you already adhere to the relevant standards. Obviously if you’re cutting corners getting up to snuff is going to cost a lot more than a hundy.

A Big 4 can't conduct a proper SOC audit without access to the cloud providers internal controls/processes. That's the problematic/expensive part since it requires a bunch of time from the cloud provider, which they will also likely want to bill for.

As someone currently dealing with SOC in preparation for the company I work for going public, I will also confirm it is a giant bean-counting pain in the butt.

> I think all of the cloud vendors are priced with just enough profit to make sure of it

Profit margins on cloud computing are insanely high (at least, relative to my expectations). They basically have no interest in anything with less than a 15% margin, even at the massive scale they operate at. Certain products have triple-digit margins. Even if they are the minority, I don't think we can give them a pass with claims of "just enough profit".

The reality is that there’s myriad providers that simply do not provide the assurances that AWS/Azure/GCP do. Sure, there’s a bit of “use these, because we know them, and they work”, but there’s also a bit of “the typical developer is not at all across the security requirements, especially taking into account contractural obligations and regulated industries”.

I remember the sad case of DataCentred:

https://www.datacenterdynamics.com/en/news/datacentred-is-sh...

tl;dr even after getting a big public sector contract, a UK based cloud provider was killed off after scaling to meet demand which was then withdrawn. Attaining - and keeping - scale is extremely difficult. And that was just IaaS provision.

If you're scaling your whole business for one customer based on one contract then you better be sure you can either scale down again, or the contract has safeguards in it to stop a rugpull.

You're not wrong, but the public sector should probably not be pulling the rug out from underneath anyone.

It's ironic, because the companies most aversive to alternatives might be in the best position to benefit from them.