If you don't think side channel attacks are a threat vector on your single tenancy system... (you can leverage these vectors to gain access to privileged data/etc. through unprivileged processes). They're differently threatening to you on your own metal, but as long as your systems take user input somewhere, they're a threat vector.
As to KPIs: there are significant cultural differences between providers. That was extremely evident while evaluating them. The differences in approach, thought, consideration and priorities between even the big 3 was substantial.
I'm curious as to why AWS doesn't run a bug bounty, although I could probably guess (lots of their sec teams have background in the intelligence community, etc.).
I'd also like to re-iterate that this is not 'cloud', but specific cloud providers. There were quite a few I looked at that were...unaware that security might be a thing (full push-to-prod creds on every developers laptop, working from cafes around the world, etc.).
> side channel attacks.. gain access to privileged data/etc. through unprivileged processes
True, but tbh that's not the first thing I'd reach for. if someone already has pwned your single function or a control plane, then it's usually game over anyway, and escalation sploits are usually a lot easier than a side channel.
Whether AWS has IC or FedRAMP background seems kind of irrelevant to a simple bug bounty program, especially for a trillion dollar company, when I was able to find an escalation vuln in about three minutes in an unfamiliar codebase in a language that wasn't my primary. They should have at least acknowledged and said thanks for the heads-up.
Big provider controls planes are not going to be ruined by a privilege escalation. There are many, many layers to their defense systems.
The Intel Community and it's members tend to not do anything to call attention to themselves, their actions, their capabilities, etc.
Overall security can be enhanced by keeping things quiet, or at least, that is a common perspective from that part of the world.
As to KPIs: there are significant cultural differences between providers. That was extremely evident while evaluating them. The differences in approach, thought, consideration and priorities between even the big 3 was substantial.
I'm curious as to why AWS doesn't run a bug bounty, although I could probably guess (lots of their sec teams have background in the intelligence community, etc.).
I'd also like to re-iterate that this is not 'cloud', but specific cloud providers. There were quite a few I looked at that were...unaware that security might be a thing (full push-to-prod creds on every developers laptop, working from cafes around the world, etc.).