> Ask them which open-source libraries their SaaS uses. Ask them to show you the audits they've performed on THEIR supply chain this year. You won't get any answers.

Well, even with private cloud and on-prem these are pretty relevant questions...

I Worked with a government organization where I was part of the team on-boarding a new on-prem system. It was purchased through a tender, where on-prem was a requirement. The product was SaaS by default, but they offered an on-prem version. We pretty much got a copy of the stack of containers and docker-compose file that they used to run their SaaS offering.

While running the application, I was missing a lot of context, since logging was minimal, so I asked the company how to connect a log store to get an overview of all the sub-systems. There was no option for this (then how did they monitor their SaaS?). So I used docker to get command line in the containers and see if I can find some logs there to then get into a log store. In one of them, I noticed an error because something in the container was trying to phone home with telemetry, to a server that wasn't owned by our supplier. 'Luckily', our on-prem box didn't have an internet connection, because of the sensitivity of our data.

This was when I realized that our supplier didn't roll their own containers, but just used off the shelf stuff they didn't even audit. So who knows what their SaaS offering was leaking from these containers? I mentioned this to both internal IT architects and the supplier and nobody really seemed to care.

This is a supplier that was named 'Leader' by Forrester and got a $30M funding round last year.

Everybody does this.

And, to be fair, it's a large part of the Docker experience.

I recently had a pretty much identical experience with a vendor that is industry leading in their sector and counts most large companies among their customers. Just imagine what their cloud looks like.

A supply chain attack on these guys wouldn't even be difficult, and the only reason I can imagine we haven't heard about it is that we just haven't heard about it.

LastPass blog post on Sept 15 said the hack was accomplished with a compromised developer machine:

> Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.

This is similar to other recent hacks, e.g. where a crypto company was hacked when a developer opened a malicious PDF he thought was a job offer.

So, in other words, being on cloud vs. on prem, and potential supply chain hacks, had nothing to do with it.

So sick and tired of everyone jumping to conclusions to fit their preconceived notions of what is good/bad when it comes to security.

You're missing the point entirely.

When you're on prem you only have to worry about your own employees opening sketchy PDFs. When you're not, you have to worry about everyone in your supply chain opening sketchy PDFs.

Nevermind the fact that the next time a major world conflict occurs, the big 4 cloud providers will probably be destroyed, taking about 90% of the western economy with it.

> When you're on prem you only have to worry about your own employees opening sketchy PDFs

This is just plain wrong. When you’re on prem you have to worry about configuring all of you hardware and software correctly yourself. Your firewalls, your SSH server(s), off site backup systems, hardware failures, software patching, access points to your network – the list goes on. Some of these are true for cloud services as well.

They are just different trade offs. Sometimes on prem makes sense, and sometimes cloud services makes sense. You can’t say that security is less of a concern in one of them.

> Nevermind the fact that the next time a major world conflict occurs, the big 4 cloud providers will probably be destroyed, taking about 90% of the western economy with it.

And it somehow does _not_ take your on prem system with it? Even though cloud providers are spread across the whole world, and your on prem system is most likely in one, single location?

If a conflict escalates to the point where the cloud providers are destroyed, you’re gonna have bigger worries than that my friend.

> When you're not, you have to worry about everyone in your supply chain opening sketchy PDFs.

That's absolutely not correct. Besides, I have more respect for the security and operations procedures for AWS, GCP and Azure than I do for 99% of startups running their own infrastructure.

But my primary point is that you seem to be arguing that being on prem is inherently more secure, and more importantly, being in the cloud made LastPass less secure, despite the fact that the breach vector in this case would have been equally effective regardless of whether they were in cloud or on prem.

If your goal is to avoid downtime in case of nuclear war, you could use a managed distributed database solution from a cloud provider.

Also, attacks against 'on-prem' services still scale, in the sense that an exploit against a service's code can be used on any number of independent deployments of that code. The solution to that is to actively avoid monoculture. [0]

[0] https://indieweb.org/monoculture

If your primary concern is global thermonuclear war, then like other commenters have said, I think we'll have much more important things to worry about.

yeh but it's not the saas/big 4 that has developer login locally as admin that gets owned and then is not segmented sufficiently to stop the spread, it's the scrappy startup. And I say this while working at a scrappy startup where there is no segmentation, every browses in a browser with sudo etc. see piriform and others. Your hate is not wrong of cloud but onprem is not necessarily more secure. Not at all. (IMO layers of abstraction and cost once you actually scale are the real negatives)

You don't need to destroy the cloud providers. Missile hits on the major interconnection (interchange? peering?) nodes in each major country and most of the companies and people are offline. Or hit the power plants, see Ukraine.

This + the fact that privacy regulations are on the rise will make SaaS providers adapt to a world where customers data cannot be kept on the SaaS prem.

I would suggest to split this problem into two different problems - the processing ("data in use") vs data on rest. Each of these problems should be tackle with a different solution/approach.

I'm working on the tackling the second approach and if anyone want to talk just reach out (reply/mail/link/whatever you prefer)

Pretty sure on prem storage appliances have vulnerabilities in them just like everything else.

This was the immediate and exact same thought I had the moment I read the first sentence of the post. Then I stopped reading. Clearly this was not an engineering decision, and passwords should be trusted to no one but competent engineers and cryptographers.