kylemaxwell
17 hours ago
Every time somebody questions why you might "trust" AWS (or Azure or GCP or whatever), or why you'd pay this premium, I realize they are not accustomed to working in enterprise environments.
In my case, I work at a large enterprise with strict data governance built into customer contracts, and (partly related, partly not) our own governance concerns. Using vendors where you not only have infosec permission, but they are also listed as data processors in our contracts with our customers is the way not to get fired and sued.
If I'm playing around at home, with my own code and data, I can do whatever I want. But with my employer and customer? Absolutely not. It's the same reason we don't use whatever is the flavor of the month frontier model is.
Side hustles and startups just have an entirely different set of constraints and considerations.
gobdovan
11 hours ago
Have you considered checking the actual AWS contract and the limited liability they explicitly stipulate in contracts and even linked docs from marketing materials?
If you read the fine print, you'll notice something funny. You are largely responsible for data loss, SLA claims require you to present concrete evidence, and the remediation you accepted is usually credits for future spend on specifically the same product you lost your data on.
And AWS fine print is actually quite reasonable compared with, say, GCP, where the SLA seems mostly useful so the enterprise acquisition team can say "they have SLA, I can't get fired for choosing them since I did my due diligence!", while GCP can say "you already accepted the proposed remedy when signing the contract, sue us and we'll just point you to it. Thanks for your trust.". [0]
[0] https://docs.cloud.google.com/storage/docs/storage-classes
^ Standard multi-region or dual-region storage has a 99.95% availability SLA, regional Standard has 99.9%, and regional Nearline, Coldline, or Archive can be as low as 99.0%. The credits are 10%, 25%, or 50% of the monthly bill for the affected service tier, with 50% as the aggregate monthly cap, applied to future use. Google also says the customer must request the credit within 30 days or forfeit it.
fabian2k
8 hours ago
They didn't mention anything about SLAs. This is about all the time, effort, paperwork and risk it takes to add yet another vendor. Having fewer vendors does actually reduce risk, as long as your chosen vendors are reasonably good. Though the bigger reason is certainly avoiding the additional bureaucracy, which is partly self-inflicted in larger companies but also not without merit.
gobdovan
7 hours ago
Yeah, I understood the original point. And I'm tired of it.
I'm just tired of the 'everyone follows their immediate incentives while the system stays incoherent' as the de facto reality. I think shedding some light over the actual mechanics would maybe make someone consider 'perhaps we shouldn't allow our acquisition team just turn off their brain and choose the default to cover their bottoms; maybe vendors are worth more decision investment via actual thinking instead of performatively ending up on the default choice after a little ritualistic game of "eeny, meeny, miny, AWS"'.
I think it's worth pointing out that Jeff Bezos would fight this tooth and nail from happening in his companies. He popularised 'process as proxy'. Yet AWS as sold to external enterprises is the exact proxy Bezos warned against internally. Do what Bezos does, and even what Bezos preaches, just don't do by default what Bezos sells.
johndhi
6 hours ago
Which vendor would you rather use in this context, with your sensitive customer data? -vendor A's list of sub-processors is a mile long and includes providers of questionable repute; -vendor B's list is short and includes AWS and GCP
hectormalot
5 hours ago
We have a vendor with almost no subprocessors because they run their own hardware in a colo.
It is refreshing actually. They can accurately answer questions on how everything works and there is no subsubsubprocessors to worry about.
gobdovan
4 hours ago
I think he's arguing about OpenAI vendoring specifically, where OpenAI has a lot of subprocessors, but AWS doesn't and there's not really a 3rd camp to choose from, yet. But even there you can't just choose AWS as I tried to illustrate in uncle comment.
eventualcomp
5 hours ago
Praise be the accountability sink. https://news.ycombinator.com/item?id=41891694
alchemism
5 hours ago
The politics of multimillion dollar contracts for public clouds go far, far, far beyond the preferences of an acquisition team, or what the engineers may think.
gobdovan
5 hours ago
This is too vague to respond to meaningfully.
ok123456
an hour ago
They're motivated not by the actual loss, but the checkmark of having attestation for a compliance framework.
So the fact that Microsoft let remote hands-on-keyboards in the PRC fix problems on GCC-High Azure nodes used by DoD contractors doesn't matter, since they're too big to censure in any meaningful way without impacting tens of thousands of businesses that rely on them to get a letter that satisfies a compliance assessor.
Actually knowing what you're doing, or being able to critically assess the risks of using a specific provider, doesn't matter.
citrin_ru
10 hours ago
Nobody ever got fired for buying I̵B̵M̵ AWS. Most corporations already use AWS, used to its legal terms and accepted the risk. Any new provider will be scrutinised by legal more than an existing one.
regularfry
5 hours ago
Models on Bedrock can have different and additional terms and conditions, there's even variety within the same provider for some of them. The Anthropic ones certainly have their own EULA. It's a bit frustrating because ideally it should be a known legal status, but in fact it still needs legal review if you're doing anything interesting.
saidnooneever
10 hours ago
this..it doesnt really matter whats on the contract they all sell same things. in enterprise things just should not get u sacked :p then it workks perfectly.
calgoo
3 hours ago
Our corporate lawyers have all reviewed these things. And like others mentioned, the SLAs are not the concern, its related to data security and someone to blame if things go boom.
kylemaxwell
2 hours ago
I mean, I'm not really senior management, just an EM trying to get through life under the rules somebody else made.
Also, this isn't about SLA at all.
btown
14 hours ago
On top of this, there's a vast difference between "what do you mean that team spent $1000 on AI in their expense report, what did we get for that?" vs. "oh, the company-wide AWS bill went up by a few percent, let's look into that when we have time." The latter makes projects far more viable.
cubefox
6 hours ago
But note that this difference is the result of bad accounting.
dragonwriter
25 minutes ago
Well, as framed its bad accounting.
OTOH, the other form is that instead of generic AI spend going up it is total spending for a particular AWS account within the umbrella of the firms AWS organization, so that the spending is attributed to a specific project whose use case, other costs, and (presumably) benefit and/or revenue can be considered.
Of course, if your AWS stuff is just one undifferentiated bucket, that’s a problem, but AFAICT AWS (like GCP) is much better set up for tracking use and costs by project than OpenAI (or Anthropic), because its an enterprise cloud provider where fitting into how large organizations track things at multiple levels is as much a core competency as any technical feature, whereas OpenAI and Anthropic are AI technology providers that are much less mature as enterprise vendors.
glzone1
12 hours ago
The security posture at AWS is different. AI startups are going to get hacked and leak data etc. All the startup webapp builder tools, vscode plugin players etc.
AWS could still be hacked, but they've taken some care to make it a bit less likely, a bit easier to track which customers affected etc. If you dig into AWS logging for example, there is a TON if you turn it on, you can really go back and see who did what to the permissions / environment etc. I imagine they've got pretty good logging of their staffs access to things as well. I had to jump through some hoops once to have their staff on my account.
raincole
14 hours ago
Or to put it simply, nobody ever got fired for buying IBM.
jimbokun
13 hours ago
-> Microsoft -> AWS.
petesergeant
11 hours ago
I would absolutely fire someone for using Azure without extenuating circumstances.
hdgvhicv
10 hours ago
Are you the CTO of a $1b+ revenue company?
petesergeant
8 hours ago
Are they the only people allowed to fire someone?
IMTDb
8 hours ago
What GP meant is that the CTO of a $1b company wold absolutely not fire someone for going Azure because at those scale it's very likely they have a set of customers that exclusively want to work on Azure, so that choice makes sense.
It's easy to do blanket statements like "never choose azure", "avoid GCP at all cost" or "never again on AWS". Until real world comes your way and you are forced to deal with it.
That being said: I'd fire anyone choosing to deploy a workload on GCP.
mitchitized
5 hours ago
Another reality is that at that scale you need to diversify your vendor portfolio so you never get stuck in a single-vendor scenario (for contracts, liability or scale). Many companies half this size have infrastructure across all three - AWS, Azure and GCP. The primary reason is redundancy, but that also gives them potential leverage for contract negotiation.
sntran
16 hours ago
I have just moved from a free environment in which I was able to use any AI harnesses or models to a strict enterprise environment.
I was shocked to realize how difficult it has been to have a GitHub CoPilot license on Azure. I mean, they're both Microsoft products. But no, the IT now has to figure out how to set up a GitHub enterprise, link to Azure subscription, and all that.
philipwhiuk
4 hours ago
and set reasonable global and user token limits to avoid burning a year's IT spend cause Dave in Legal went ham on tokenmaxxing by uploading his entire legal case history.
in a company of 12 you can do that by saying 'we're all generalists, just don't be an idiot'. In a company of 10,000, you hired Dave cause he's good at legal merger mumbo jumbo not because he's an IT generalist.
notepad0x90
an hour ago
Yeah, cloud agents come with nice things like being able to filter content, implement guardrails like preventing PII or prompt injection from taking place. even if they sucked, at least liability wise you're set. I don't know how someone could even come close to this capability by doing it on their own. If anyone does, please share what tools, platforms and projects you're using.
foolfoolz
14 hours ago
while true, everyone signed this same data privacy agreement with anthropic / openai a long tiem ago
kube-system
10 hours ago
The agreements that Anthropic/OpenAI are pretty general and there’s a lot of use cases they don’t meet.
The list of compliance standards that AWS meets is so big they have a separate product just to deliver the compliance documents. They basically do everything imaginable.
bunderbunder
14 hours ago
It’s not just that. Oftentimes contracts stipulate that the client’s data can’t be transferred across certain boundaries. If you have signed such an agreement, even sending the data to a service on the same cloud provider but in a different region could be a huge compliance violation.
comandillos
10 hours ago
In my company is simpler, we deal with data under EU Export Control so we cannot use any US provider due to the CLOUD Act.