So, not quite sure about this, hence posting in “Off Topic”.
(The mods will surly move this post to it right place, or delete it).
So, I work in a company where we use some of the big cloud services out there. We have some extremely competent security architects, a CSIRT team and all the bells and whistles.
But, how about using some of those services in a more “personal” context, ie sideprojects you do in your free time.
Case in point, as an example: I use GitHub, a couple of my repos are connected to Cloudflare. I use those to deploy websites, using a static site generator (Hugo).
Though I’ve talked with sec archs at work, and feel reasonable sure about sec and priv, is this kind of a possible new area for PG to have some guides about, or am I off base here?
Regardless if this is within or outside the scope of PG, hearing this community’s thoughts on the subject would be very interesting (and possibly educational).
Generally, as you move down this list and give up more control over what you are operating, you are sacrificing privacy more and more in some way. It’s because as you delegate these roles to cloud companies you are also giving them more fine-grained insight into your application usage data.
For example, if you host a website on an Infrastructure as a Service product like a VPS from Hetzner or Vultr, that provider can trivially observe which IPs are connecting to your website, but not necessarily other data. On the other hand, with a Platform as a Service product like GitHub Pages, GitHub can observe much more about your visitors, like which specific pages they are visiting, their browser information, etc.
This is often reflected in the privacy policies of these services, with privacy policies typically becoming more invasive and complex as you move down this line.
For the most part, I strive to only make use of IaaS providers like Hetzner for my projects whenever possible, and lately I’ve even been shifting to hardware I own completely.
Whether or not this works for you is kind of a personal decision, and depends both on your technical knowledge and the type of application you’re hosting.
And sometimes it is still worth the tradeoff to use more abstract services, we use GitHub (SaaS) extensively here at Privacy Guides (although not for hosting the website itself).
From a security perspective, there is not an inherent difference in security between these models, only a difference in who is responsible for that security.
Thanks, and I see that you reference the standard figure used by, among others, Gartner!
My appoligies if my lack of English creates confusion. But, I am not asking for my self, I work in this space, and have been for 30 yrs.
I know very well the difference between on-prem, Iaas, PaaS, SaaS, private cloud vs public and all that other stuff! (as being chief infrastructure architect for a 200mill dollar company).
Again, I profusely appoligise if I seem like an a-hole.
What I tried to ask was, is this an area the would be interesting for PG to incorporrate in to the guides, and/or have a disquisson about?
Yeah, I am kind of tiptoeing around some stuff here.
I am new to this forum and I don’t want to insult anyone, but I do not agree with some of opinions posted here.
But, again, I will thread lightly, and try to understand the gist of this forum.
I do have done some research, I do have been working with security and privacy for a very long time, I do have years of experience. But I do not at any point in time assume that I know the “truth”, hence why I joined this forum.
Not quite sure if this answer was to me! (Yeah, as mentioned before, these new forums, don’t get them. )
But, for those who want to test their thesis regarding privacy/security, I am always available. And, for those thinking I am talking nonsense (I do, often), lets talk.
