This morning, I was on a call. The client is a sharp individual and tends to be trusting. However, due to current data retention regulations, their superiors have pushed them to evaluate different solutions.
On the other side of the call was a friendly and polite person, recommending they embrace their services, all based on SaaS solutions from major players.
I expressed some reservations: the client has always been concerned about their data. But the responses were always reassuring about the professionalism, etc., of these major players. Besides, "if they're market leaders, there must be a reason". I remained silent. He noticed and asked me, "I know for you 'DIY' solution 'fans' this isn't the ideal solution, but there are many advantages, such as..." and he started again. The "DIY" part didn't sit right with me. He was polite, not aggressive, so all was fine. But, in the end... "And let's not even start talking about privacy – ultimately, let's be clear, they know everything anyway, and none of us, I hope, have anything to hide, right?"
Provoked, I put on my best smile and said, "Of course, I suppose so. Do you personally use these services?" Convinced he had won me over, he replied, "Of course, for all my data and communications. As I told you, I trust them and have nothing to hide!"
I asked him, "Excellent, that's good. After all, what does XXX care what you ate last night, or if you saw friends last week, or where you're going on vacation?" He nodded again, satisfied. I asked, "How much did you earn this month?" His smile froze. Obviously, he didn't answer. "What kind of medical conditions do you have? Have you had problems with the law?" Silence. "Don't tell me you've never had a disagreement with your boss – what do you really think of them? Oh, by the way, what about politics?". He was speechless and replied, "Well, but what does that have to do with our discussion?"
Me: "Excuse me, nothing. It was just to say that, perhaps, we all have a private sphere. Imagine when the data is of the client's type..."
He smiled and resumed his speech as if nothing had happened. The client understood and messaged me privately, telling me to let him finish as he had already grasped the situation. That was my goal.
The client manages highly personal data that, currently, is locked down on machines inaccessible except via LAN. Even within the LAN, VPN access is required. The only exposed data is pushed out by an internal process that prepares and exposes it, after careful review, "pushing" it to a public server.
Now it will be up to him to explain to his superiors why the current setup is more secure than a renowned, highly advertised, and 'smiling' public cloud, but I'm sure he'll be able to do it.
I'm not against these services, but please don't try to convince me they're necessarily managed better than well-thought-out solutions, or that our privacy will be preserved. That's just not the case.
A relaxing walk was the reward I gave myself.