If the lesson the author is ultimately trying to convey is "You can't trust cloud infrastructure providers to protect your data, especially Microsoft." My answer is, "Okay. What can a company do when there is no choice?" The number of enterprise-grade applications that are cloud-only offerings is only increasing. Regardless of whether or not my company actually wants to to own the risk of storing its data in a third party, the day is coming where they have to choose to accept the risk that comes with storing data in the cloud, or re-inventing someone else's wheel at great development and operational cost.
> "Okay. What can a company do when there is no choice?" The number of enterprise-grade applications that are cloud-only offerings is only increasing.
I'd be curious to know what kind of problems could be only solved through a cloud-only solution. It's a honest question; I'm not old enough to remember actually using mainframes but in my days companies had their own IT staff, gear and storage.
I understand that hiring a IT team of 3 could not be viable for a small 10 people startup, but I'm sure there are solutions in between before being forced to entirely surrender everything to someone else's data center.
Software security is a good example. Lets say you work for a large company, you have 50K repos in your git instance, and you have 10K developers on staff churning out all of that software from the mundane to the mission critical. You want to provide a means for your developers to be good citizens to get out in front of security vulnerabilities.
Building an in house solution to do this is extremely costly in every way imaginable, from the extreme expertise needed, to the ability to do it at a very large scale.
There are a number of vendors out there who provide great software to do things like scan source code, scan dependencies, or scan a live environment for vulnerabilities. The best of those vendors have cloud-only solutions.
You're stuck either accepting the risk that, at the very least, vulnerabilities about your software would be potentially exposed for the world to see, or installing an inferior product on-premise. That potential risk is even greater if your customers depend on you to store things like private and/or financial data.
Hum... We are still dealing with the last cloud-based security scanner that injected malware into every large IT related company, and still discovering what companies are completely hacked because of it but are hiding this.
> Okay. What can a company do when there is no choice?
The company can recognize that "there is no choice" is not a valid option. There are many choices if the company actually cared to invest into choices. That requires learning and actually vetting your vendors though. That's hard work. Good luck getting people to do hard work.
I've been through multiple vendor vetting processes at my company, and there has always been a line drawn at whether or not the company's data is stored with the vendor in the cloud. My company is very cloud averse due to the nature of the business, and the kind of data they store. The vendor products that make that cut are usually not the best, and if they have a cloud offering, it's almost always superior to their on-premise offering. Every time I go through this process, it shifts even further in the direction of more + better cloud offerings, and fewer on-premise offerings.
You can implement security measures on top of what is provided by Microsoft. If you have encryption at rest and you hold the keys locally, for example, even this high-level leak would not expose you.
That said, good luck implementing and managing that in a large organization.
