Hacker News new | past | comments | ask | show | jobs | submit login

AWS has external auditors verify their policies, procedures, and actual methods meet a wide variety of compliance requirements from many different agencies. The level of access those auditors and other verification methods have to AWS is not none but very significant.

https://aws.amazon.com/compliance/programs/




Yea, but my example wasn't access that auditors have, it's you, as a client.

Now on topic... You could argue that Nord perhaps was a bigger client than you or I am to AWS, and maybe they should have had better access, but the fact of the matter here is that it's absolutely possible that Nord is being accurate when they say "[we] could not have known".

Contract violation or not, you should never have full 100% confidence in someone else's system. If I was Nord and renting cloud I would absolutely assume there were undisclosed accesses, as I bet they are viewing everything now.


As a client I can ask for policies, records, 4th party audit reports, etc and choose your vendor based on their ability to answer and the quality of answers.

It's not about contract violations if something like that happens you don't know about, it would have to be willful deception and incompetence of several organizations.

"we could not have known" is an answer you get when what you really mean is "we didn't think to look". If something like this happened and you had done the right things the message would be "vendor X violated their policy, our contracts, and auditors A, B, and C failed due diligence requirements here and here"

"We could not have known" as a response means no one should trust NordVPN because clearly they think they're helpless which means they aren't clever enough to trust my data with.

> you should never have full 100% confidence in someone else's system

Of course.


That page looks impressive but there is no way to casually verify that what they are talking about actually happens (on a quick check). There is simply so much info there you'd have to spend considerable time trying to track down what is needed to make sure it's actually legit. [1] Of course with 'assume' with AWS it is and it's meaningful but my point is if someone else were doing that people might simply 'check the box' and say 'ok they have this handled'. Might not be the case.

[1] Edit: Story today about Amazon and expired baby formula:

https://news.ycombinator.com/item?id=21310697


As for [1], the FTC etc. do a bad job of regulation, especially of Amazon. I actively do not trust Amazon to sell me things I ingest.

>there is no way to casually verify that what they are talking about actually happens

I have first hand experience working in more than one organization with security departments which did this sort of verification of vendors. Usually as required by law.

And the opposite was true as well, working in organizations which were beholden to those kinds of compliance requirements and to customers (and investors) verifying them.

It is indeed a long process with a lot of work. That kind of "box checking" tends to happen sometimes but not in an inventing reality way but a cargo cult way. There is enough surface area of these regulations though that you can't just get away with a song and dance, you end up actually having to do the right things.


Rereading your comment, here is one easy verification method for one of the programs: literally a marketplace of compliant services by the group which does the verification.

https://marketplace.fedramp.gov/#/products?sort=productName




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: