The confusing thing is that googling "google advanced protection program" takes you to the en_in locale, even if you are in the US. An American has no clue what a crore is, so it is just an SEO failure on Google's part, which is funny. I didn't know there was an en_us equivalent to the page when I googled the topic.
I don't want to work wherever you do your thing. Software as a service means you provide a service, and you should take your responsibility to protect your customer's data super seriously. Compliance frameworks are one useful tool among many to support this effort. It helps us identify gaps, identify risks, make improvements. It also give us a way to communicate what we do to our partners. The behavior described in the medium post is fraud, pure and simple.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
I've done a mix of SOC2, ISO27001 and PCI L1 for 3 different startups. 2 of them b2b. All certified 100% and fully compliant.
The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" .
Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up".
On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed.
It tells you that a place being certified doesn't guarantee shit.
The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant"
The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse.
Well, yes, but that's the point of many contracts, they are often designed to shift risk to parties that are better equipped to handle those risks. We run our app on GCP because as a 20 person company I don't want to be responsible for physical security and a million other risks.
With ISO27001 or SOC 2, I have more information about the other party's ability to manage those risks than just taking their word for it. I'm trusting a third party auditor to vouch for them.
Fraud undermines all kinds of relationships and yes LLMs make it worse. The last job we opened I got hundreds of perfect cover letters asserting the candidates met all of the criteria. Bah.
My perhaps naive hope is that a few of these companies involved will face criminal fraud charges and we will start to develop new reflexes as a society that just bc LLMs making lying very very easy, there are still consequences.
The standards are very sensible. If you can't be bothered to provide even simple evidence that your employees are using basic harddrive encryption, use password managers, and your product has backup in place, I don't want to do business with you.
And Delve isn't an auditor. Though they were apparently in cohoots with equally criminal third party auditors. So I guess I'm going to be looking more closely at just exactly who exactly are auditing our vendors in the future...
I think the thing we are confusing here is "compliance" vs the "highest possible standards".
In theory these two terms mean the same thing.
In practice compliance can be detrimental to the cause and values that you and I both share seemingly.
> I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Same here. This is why I don't care about "compliance" - because I take the privacy of my customers sacred. For example, that means no KYC on my customers. And compliance requires KYC.
Compliance with what requires KYC? Nothing in ISO-27001 requires you to collect any information about your customers. Unless there are laws that require you to. Knowing your vendors is another story.
I can remember something like this a few years ago when a customer emailed our helpdesk with their own internal IT support desk in copy. Our helpdesk at the time sent a complete new email acknowledging the request, which the customer's desk ALSO acknowledged in a new thread...
I think it took us a good hour and a few hundred tickets to get the helpdesks to stop fighting with each other!
I remember working for an ISP in the mid 90s. We never really had problems with 1 to 1 mailing loops bouncing back and forth, but we ended up with a large circular mailing loop involving a mailing list, and bad addresses on it getting bounced to the previous server which sent a reply to the mailing list, which got bounced and sent to everyone in the group which caused someone else's mailbox to fill up that was in a forward, which for some reason sent a bounce to the mailing list that really started to set off the explosive growth.
Needless to say the bounces seemed to be growing quadratically and overwhelmed our medium sized ISP, a decent sized college, and a large ISPs mailing system in less time than anyone could figure out how to get it to stop.
One thing that is real is companies using LLMs to fill roles they couldn't afford to spend on before. Like the tourist who uses Google Translate on a trip to Japan: in principle they are saving 10k on the cost of a professional interpreter. On the other hand they never would have had the resources for a professional interpreter.
I've been looking at this a lot, for ourselves (multitenant saas app running on gcp) and for our customers, who are starting to be curious about something between fully self-managed (too costly) and centralized/multi-tenant/american cloud.
One thing that strikes me is the relationship with architecture. A monolithic, vertically scaled app can run ANYWHERE where I can rent a VM, whether in Norway with Upcloud or on a VPS in Kenya. It's only when you start stitching together managed DBs with autoscaled instance pools etc that vendor lock in begins.
All of these nice toys make our service highly available. But while the overall risk is lower, it is far more correlated between customers. If our service would go down because of a political event, it would go down for all our customers at once.
What about a control plane that manages a fleet of per-customer VMs across an array of cloud providers? Has anyone ever tried this?
This honestly sounds like a nightmare: multimegabyte wasm downloads, data corruption in production and byzantine hacks to coordinate writes between tabs. I am very grateful that we chose IndexedDB instead for our application!
https://landing.google.com/intl/en_us/advancedprotection/
reply