I see a read a lot of cyber security stories and nothing surprises me any more. I constantly see stories about breaches and phishing. Now I turn my jaundiced eye on cloud security.This was prompted following a recent conversation I was having with a friend who is an IT Infrastructure expert.
We were chatting over a coffee about the various mistakes people make when securing their own private infrastructure. Things like not updating software, having a poorly configured firewall and not testing their backups to name but three. Then my friend came out with a doozy.
We store all our stuff up in the cloud and leave Amazon worry about the security side of things.
So I asked what “cloud security” had they signed up for, which he couldn’t answer directly, but presumed it was all part and parcel of the package they were paying for. I asked who configured their security and he stared at me like I was a madman.
I already said … Amazon will look after the cloud security. They have world class security solutions.
I agreed that Amazon do indeed have the best security available (as do other cloud providers like Microsoft). However assuming that Amazon would “look after the security” was a risky presumption to make.
It all depends on what you sign up for. Amazon/Microsoft will provide you with cloud storage and other services. They will also provide you with the tools necessary to secure your cloud storage. Unless you are engaging them for a full service package, where you completely outsource to them and it is pretty pricey, you are likely to be responsible for your cloud security.
In the last week I have read the following stories:
- Viacom (who own Paramount Pictures) had a publicly accessible Amazon S3 bucket containing a lot of very juicy technical details of their infrastructure set-up. It contained a server manifest along with passwords.
- Verizon Wireless, the mobile arm of the US Telecomms giant, had a publicly accessible Amazon S3 bucket containing some apparently confidential documents which had user IDs and passwords in them, among other items.
- SVR Tracking, a US based Vehicle Tracking service provider, had a … you guessed it … publicly accessible Amazon S3 bucket containing over half-a-million records of vehicles, user IDs, passwords, as well as where the tracking device is hidden in the vehicle.
So just these three examples from the last week show that people are putting stuff “into-the-cloud” in these insecure Amazon S3 buckets, presuming that Amazon will look after the security for them.
Please don’t make the same mistake yourself.
If you have any sort of Cloud storage in use at your business, please take a few minutes now to review it’s security set-up and ensure it is not publicly accessible.
Let’s be careful out there.