> Compliance and security testing does not go away just because you use cloud. The steps and questions will be different, but regulations like NIS and GDPR have extensive requirements regardless if you implement it yourself or buy it from an external supplier.

That’s a bit disingenuous. If I don’t operate a physical server rack, I also do not need to take care of physical access control, fire suppression policies, camera monitoring, key handling, and a wide range of other measures I would be otherwise obliged to take care of under GDPR. You can absolutely outsource classes of problems. What’s true is that that doesn’t lift the responsibility from you to check your cloud provider fulfils these obligations, but that’s very different from having to fulfil them yourself.

▲

belorn an hour ago | parent [-]

Go through a security review. It not as simple as just saying "we outsource that so we have no idea what they do or how they manage the data". It is disingenuous to claim that people can just outsource the whole problem and not care.

This would be part of the responsibility of the cloud managers, which need to be hired, paid and trained, on top of the cost of paying the cloud providers. There is no free lunch.

▲

9dev an hour ago | parent [-]

I am responsible for security reviews. I never claimed it was that simple, nor that there was free lunch. I said it is easier to outsource it than to handle it yourself to an equal level of what a cloud provider is able to do, from a legal and operational perspective.

	▲	belorn an hour ago \| parent [-]
		Easier is a very subjective measurement. Lets compare two solutions with different hires. One hire system administrators that rent space in a serverhall. The other hire cloud managers that rent space in the cloud. What can we definitive say about the difference be in salaries, training, and team size? Can we say anything specific about legal and operational perspective?