←back to thread

Private Cloud Compute Security Guide

(security.apple.com)
398 points djoldman | 9 comments | 06 Nov 24 13:48 UTC | HN request time: 0.916s | source | bottom
Show context
lukev ◴[06 Nov 24 23:41 UTC] No.42071345[source]
There's something missing from this discussion.

What really matters isn't how secure this is on an absolute scale, or how much one can trust Apple.

Rather, we should weigh this against what other cloud providers offer.

The status quo for every other provider is: "this data is just lying around on our servers. The only thing preventing a employee from accessing it is that it would be a violation of policy (and might be caught in an internal audit.)" Most providers also carve out several cases where they can look at your data, for support, debugging, or analytics purposes.

So even though the punchline of "you still need to trust Apple" is technically true, this is qualitatively different because what would need to occur for Apple to break their promises here is so much more drastic. For other services to leak their data, all it takes is for one employee to do something they shouldn't. For Apple, it would require a deliberate compromise of the entire stack at the hardware level.

This is very much harder to pull off, and more difficult to hide, and therefore Apple's security posture is qualitatively better than Google, Meta or Microsoft.

If you want to keep your data local and trust no-one, sure, fine, then you don't need to trust anyone else at all. But presuming you (a) are going to use cloud services and (b) you care about privacy, Apple has a compelling value proposition.

replies(7): >>42072229 #>>42073673 #>>42073693 #>>42074841 #>>42075160 #>>42075432 #>>42078451 #
1. roca ◴[07 Nov 24 05:29 UTC] No.42073693[source]
> For other services to leak their data, all it takes is for one employee to do something they shouldn't.

This is not true for Google, at least. I know because I work at Google.

So I wonder how accurate your knowledge of Meta, Microsoft etc is.

replies(3): >>42074031 #>>42078210 #>>42082138 #
2. andruby ◴[07 Nov 24 06:32 UTC] No.42074031[source]
Without revealing things under NDA, what could you share about what more it would take?
replies(1): >>42075593 #
3. mattlondon ◴[07 Nov 24 11:02 UTC] No.42075593[source]
https://archive.is/HFlx1 is one example of the lengths they are going to - third parties running entire Google cloud software stack (i.e. the GCP stuff we all know, and the underlying infrastructure too) in their own data center that is entirely air-gapped from Google itself. This is a huge undertaking.
replies(1): >>42078889 #
4. abalone ◴[07 Nov 24 16:38 UTC] No.42078210[source]
PCC is a whole different level. For example, you still have to trust that Google is doing what it says to control access. PCC makes it auditable and verifiable by clients when connecting to a node.

You can also audit that the binaries don’t leak any data in, say, debug logs, which is definitely possible on GCP/Borg. PCC nodes are “cryptographically airtight.”

replies(1): >>42081448 #
5. qmarchi ◴[07 Nov 24 17:36 UTC] No.42078889{3}[source]
There's a huge difference in what GDC-Airgapped runs on and what is actually running in GCP.

Airgapped is based on top of Kubernetes, and it's using mostly off the shelf components for networking and compute.

GCP is based on top of Borg, using custom networking and computer hardware (though manufacturers by a partner). As a note, not only is access without a support token alertable (goes to your skip level), there's a distinct level of "I'm not even going to build the tool to enable this". Which makes being in support a b**.

If you want access to something, it's significantly easier to just ask the customer to do it themselves.

Disc: Former TSE for Advanced Support.

6. roca ◴[07 Nov 24 21:47 UTC] No.42081448[source]
I'm only here to correct the parent's false claims.
replies(1): >>42092437 #
7. jshen ◴[07 Nov 24 23:07 UTC] No.42082138[source]
How is it not true?
replies(1): >>42090552 #
8. roca ◴[08 Nov 24 21:18 UTC] No.42090552[source]
I don't know what details I would be allowed to share, so I'd better not share any. You can try looking it up on the Internet.

But Google does a lot of work to protect against insider threats, because everyone understands that in an organization of this size there will always be bad apples, spies, etc. Google's systems are designed to protect customer data from malicious employees using technical measures; it's much more than just "if we catch you, you're fired" as was asserted upthread.

9. ◴[09 Nov 24 03:55 UTC] No.42092437{3}[source]