Oh no! Not again! Another massive data breach: 106 million individuals have their data stolen. This time it is from Capital One. All the data was located on Amazon Web Services cloud computing platform. Is the cloud safe?
We were told that adoption of cloud computing in its early days was slowed due to concerns about security. Now, we hear that a huge bank that has adopted the cloud with relish has had over a hundred million records lifted right off the cloud. The story has been well covered in the press but here is a quick synopsis:
On June 18, Paige Thompson, a 33 year old former AWS employee who left in 2016 tweeted that she had posted Capital One customer information on her GitHub account. The bank had no knowledge of this for four months until another GitHub user contacted them through their tipster hotline and informed them of Thompson’s bragging.
Capital One followed the link provided by the tipster and found Thompson along with the huge breach. The FBI moved in and arrested Thompson. The Department of Justice has charged her with one count of computer fraud and abuse. The fraud is punishable by up to five years in prison and a $250,000 fine.
Amazon launched the Amazon Web Services cloud in 2006 amid a hail of criticism, both business and technical. The business pundits were all asking: what is a low margin, non-profitable retailer, doing in computing? The number one technical issue was security. Remember back then the whole computing industry was based upon on-premise hardware and software. If you used computing you could reach out and touch your IT infrastructure.
In cloud computing you buy virtual machines residing somewhere in one of AWS’ data center. This just terrified security experts of the time, not to mention management in general.
But AWS grew, and while we did not know it at the time, prospered (AWS financial results were not disclosed until 2015). By 2011 Netflix migrated its whole operation of now a 150 million subscribers on to AWS. It is a true power user and has freely released a ton of tools that optimize, protect and ensure operation continuity under its “Simian Army”.
AWS knew that if it wanted to grow big it needed to get the biggest companies and governments using its cloud and to do that it needed to ensure that the cloud was secure. Accordingly, it set out to build a large suite of AWS security tools and a network of “partners” (consultants and system integrators) that could successfully implement them.
Capital One began its move to the cloud in 2013. It very carefully established a governance structure, including detailed risk assessment and management. By 2015, Rob Alexander – Capital One’s CIO – was the keynote speaker at AWS’s annual big user/developer conference: “re:Invent” and Capital One was an AWS customer case study.
Capital One was not alone. By 2017, surveys were showing that IT professional recognized that security in the cloud was actually better than that in the old on-premise model.
So, how could the breach take place? AWS asserts that its cloud was not at fault and Capital One is backing them up. It looks like the hack was due mostly to the skills of AWS’s rogue former employee combined with lax security oversight by Capital One. Cloud security experts suggest that Thompson used a known cloud vulnerability called a Server Side Request Forgery (SSRF).
Server Side Request Forgery is an attack where a server can be tricked into connecting to a server it did not intend. If you are into the tech SSRF is more deeply explained in this article. The offerings of public clouds worsen the impact of SSRF, and the major players like AWS are not doing anything to fix it. Maybe we should take AWS’s claim of no fault with a grain of salt.
Just as importantly: why did it take Capital One so long to discover that the customer information had been breached? Why did Capital One’s IT supervisors not catch the error sooner? After all the hacker grabbed 30 Gigabytes of credit applications of over 100 million individuals. Didn’t anybody notice? What happened to Capital One’s vaunted cloud governance structure and operations?
The way we seem to be running IT is reminiscent of the Chernobyl disaster. There were failures in the design and from the people. So is the cloud safe? Welcome to the world of humans and their machines. The answer is: yes, as long as we address its known issues and run it properly. At least this breach won’t make us glow in the dark but it is time to freeze your credit – oh well, sigh!
By John Pientka
John is currently the principal of Pientka and Associates which specializes in IT and Cloud Computing.
Over the years John has been vice president at CGI Federal, where he lead their cloud computing division. He founded and served as CEO of GigEpath, which provided communication solutions to major corporations. He has also served as president of British Telecom’s outsourcing arm Syncordia, vice president and general manager of a division at Motorola.