John

Is It Safe? Growing with the Cloud

Oh no! Not again! Another massive data breach: 106 million individuals have their data stolen. This time it is from Capital One. All the data was located on Amazon Web Services cloud computing platform. Is the cloud safe?

We were told that adoption of cloud computing in its early days was slowed due to concerns about security. Now, we hear that a huge bank that has adopted the cloud with relish has had over a hundred million records lifted right off the cloud.  The story has been well covered in the press but here is a quick synopsis:

On June 18, Paige Thompson, a 33 year old former AWS employee who left in 2016 tweeted that she had posted Capital One customer information on her GitHub account. The bank had no knowledge of this for four months until another GitHub user contacted them through their tipster hotline and informed them of Thompson’s bragging.

Capital One followed the link provided by the tipster and found Thompson along with the huge breach. The FBI moved in and arrested Thompson. The Department of Justice has charged her with one count of computer fraud and abuse. The fraud is punishable by up to five years in prison and a $250,000 fine.

Amazon launched the Amazon Web Services cloud in 2006 amid a hail of criticism, both business and technical. The business pundits were all asking: what is a low margin, non-profitable retailer, doing in computing? The number one technical issue was security. Remember back then the whole computing industry was based upon on-premise hardware and software. If you used computing you could reach out and touch your IT infrastructure.

In cloud computing you buy virtual machines residing somewhere in one of AWS’ data center. This just terrified security experts of the time, not to mention management in general.

But AWS grew, and while we did not know it at the time, prospered (AWS financial results were not disclosed until 2015). By 2011 Netflix migrated its whole operation of now a 150 million subscribers on to AWS. It is a true power user and has freely released a ton of tools that optimize, protect and ensure operation continuity under its “Simian Army”.

AWS knew that if it wanted to grow big it needed to get the biggest companies and governments using its cloud and to do that it needed to ensure that the cloud was secure. Accordingly, it set out to build a large suite of AWS security tools and a network of “partners” (consultants and system integrators) that could successfully implement them.

Capital One began its move to the cloud in 2013. It very carefully established a governance structure, including detailed risk assessment and management. By 2015, Rob Alexander – Capital One’s CIO – was the keynote speaker at AWS’s annual big user/developer conference: “re:Invent” and Capital One was an AWS customer case study.

Capital One was not alone. By 2017, surveys were showing that IT professional recognized that security in the cloud was actually better than that in the old on-premise model.

So, how could the breach take place? AWS asserts that its cloud was not at fault and Capital One is backing them up. It looks like the hack was due mostly to the skills of AWS’s rogue former employee combined with lax security oversight by Capital One. Cloud security experts suggest that Thompson used a known cloud vulnerability called a Server Side Request Forgery (SSRF).

Server Side Request Forgery is an attack where a server can be tricked into connecting to a server it did not intend. If you are into the tech SSRF is more deeply explained in this article. The offerings of public clouds worsen the impact of SSRF, and the major players like AWS are not doing anything to fix it. Maybe we should take AWS’s claim of no fault with a grain of salt.

Just as importantly: why did it take Capital One so long to discover that the customer information had been breached? Why did Capital One’s IT supervisors not catch the error sooner? After all the hacker grabbed 30 Gigabytes of credit applications of over 100 million individuals. Didn’t anybody notice? What happened to Capital One’s vaunted cloud governance structure and operations?

The way we seem to be running IT is reminiscent of the Chernobyl disaster. There were failures in the design and from the people. So is the cloud safe? Welcome to the world of humans and their machines. The answer is: yes, as long as we address its known issues and run it properly. At least this breach won’t make us glow in the dark but it is time to freeze your credit – oh well, sigh!

By John Pientka

THOUGHT LEADERS

Kokumai Ii

How to Enhance Security of Digital Identity

Enhance Security of Digital Identity Introduction The subject of this article is a fragile digital identity built with a weak password, which makes a grave ...
Ronald Van Loon

Faster Innovation and Development with a Full-Stack AI Strategy

Full-Stack AI Strategy The future is here and companies that have incorporated the latest innovations led by AI in their business processes are reaping the ...
Securing Multicloud

Securing Multi-Cloud Manufacturing Systems In A Zero Trust World

Securing Multi-Cloud Manufacturing Systems Bottom Line: Private equity firms are snapping up manufacturing companies at a quick pace, setting off a merger and acquisition gold ...
Larry Novak

Safeguarding Data Before Disaster Strikes

Safeguarding Data  Online data backup is one of the best methods for businesses of all sizes to replicate their data and protect against data loss ...
Vidya Phalke Headshot

5 Tips For Improving Enterprise Cloud Success In 2017

Improving Enterprise Cloud There has been an increase in the adoption rate of cloud technology to help businesses keep capital investment and maintenance costs down ...
Allan Leinwand

Scale Matters in the Enterprise Cloud

The Enterprise Cloud What used to be an unknown and mysterious term, “the cloud” is now a common and mostly understood technology. At the most ...

Cloud Community Supporters

Isc2 Logo
Aws
Hp
Ca
Cisco Logo

Cloud community support comes from sponsorship, service opportunities and collaborative network partnership initiatives.