And it opens you up to potential exposure due to mistakes at the cloud provider.

About two years ago we got an email from AWS associated with a PHD notice. It “apologized” for an issue whereby the EC2 Security Groups in a single AZ were in place but not operative. All traffic was permitted for several hours, irrespective of the SG config.

We deploy and align host-based firewalls alongside whatever the cloud provider gives us, for exactly this reason.

Somewhere along the line “the cloud” seems to have gotten a reputation for some level of infallibility of which I’m not convinced.

See also the recent problem where Entra logs weren’t captured for some tenants, and are just gone.

I didn't mention there were no leaks or is no incompetence. I wrote about the amount of corners that are no longer available to be cut. Corner cutting isn't exclusive to data leaks. It impacts everything, mostly the people actually working on the stuff.

Taking away responsibility from the people or departments that clearly can't handle it, that is what this means.

It does not mean that the responsibility that remains suddenly does no longer end up with incompetent actors. It just means it is now smaller, and smaller to a degree where it is very much worth it in most cases.

And just like I wrote earlier, there are cases where that works the other way around as well, and that just reinforces my point.