This is an oversimplification. IF we are talking about compliance to ISO 27001 you are supposed to do your own risk assessment and implement necessary controls. The auditor will basically just check that you done the risk assessment, and that you have done the controls you said yourself you need to do.
I'd say this has nothing with regulatory compliance to do at all. The real truth is that modern organizations are way too attached to cloud solutions. And this runs across all parts of the organization with Saas and PaaS whether it's email (imagine Google Workspace having a major issue), AWS, Azure, Okta…
I've had the discussions so many times and the answer is always – the risks doesn't matter because the future is cloud and even talking about self hosting anything is naive and honestly we need to evaluate your competence for even suggesting it.
(Also the cloud would maybe not be this fragile if it wasn't for lock-in with different vendors. If you read the TOS it says basically on all cloud services that you are responsible for the backup – but getting your data out of the service is still pain in the ass – if possible at all)
> The real truth is that modern organizations are way too attached to cloud solutions.
I'm confused. This is a security product for your local machine. Not the cloud.
Unless you call software auto-update "the cloud", but that's not what people usually mean. The cloud isn't about downloading files, it's about running programs and storage remotely.
I mean, if CloudStrike were running entirely on the cloud, it seems like the problem would be vastly easier to catch immediately and fix. Cloud engineers can roll back software versions a lot easier than millions of end users can figure out how to safe boot and follow a bunch of instructions.
Well, in all times usually there has been the option to run a local proxy/cache for your updates so that you can properly test them inside your own organization before rolling them out to all your clients (precisely to avoid this kind of shit show). But doing that requires an internal team running it and actually testing all updates. But modern organizations don't want an IT-department, they want to be "cloud first". So they rely on services that promise they can solve everything for them (until they don't).
Cloud is not just about where things are – it's also about the idea that you can outsource every single piece of responsibility to a intangible vendor somewhere on the other side of the globe – or "in the cloud".
> Cloud is not just about where things are – it's about the idea that you can outsource every single piece of responsibility to a intangible vendor somewhere in the cloud.
I've never heard of a definition of cloud like that.
Cloud is entirely about where things are.
Outsourcing responsibility to a vendor is totally orthogonal to the idea of the cloud. You can outsource responsibility in the cloud or not. You can also outsource responsibility on local machines or not.
And outsourcing responsibility has existed since long before the concept of the cloud was invented.
The product affected here is litelarly called "CrowdStrike Falcon® Cloud Security". Meraki all tough they sell routers and switches markets their products as "cloud-based network platform". Jamf all tough their product is run on endpoint devices is marked as "Jamf Cloud MDM". I think its fair to say that cloud these days does not only mean storing data, or running servers in cloud but also if infrastructure is in any way MANAGED in cloud.
So to tie back to what i wrote earlier – none of these services has to have the management part in the cloud. They could just give you a piece of software to run on your own server. That would certainly distribute the risk since now it only takes someone hacking the vendor to go after all their customers, or in this case one faulty update brakes all users experience. And as far as I can see it seems we are willing to take those risks because we think it's nice having someone else manage the infrastructure (and that was my main point in the first comment).
I'd say this has nothing with regulatory compliance to do at all. The real truth is that modern organizations are way too attached to cloud solutions. And this runs across all parts of the organization with Saas and PaaS whether it's email (imagine Google Workspace having a major issue), AWS, Azure, Okta…
I've had the discussions so many times and the answer is always – the risks doesn't matter because the future is cloud and even talking about self hosting anything is naive and honestly we need to evaluate your competence for even suggesting it.
(Also the cloud would maybe not be this fragile if it wasn't for lock-in with different vendors. If you read the TOS it says basically on all cloud services that you are responsible for the backup – but getting your data out of the service is still pain in the ass – if possible at all)