Tech Crunch

Huawei pushes back launch of 5G foldable, the Mate X

If you were desperately ripping days off of your calendar until you could get your hands on Huawei’s $2,600 5G foldable, the Mate X — which was originally slated to launch next month — it sounds like you’re going to have to wait a bit longer, per TechRadar which attended a
IBM News

6 DataOps essentials to deliver business-ready data

Nearly every business is under competitive, disruptive, and regulatory pressures. As companies face digital transformation and modernization to meet their customers’  expectations, leveraging data and AI at the speed of business can be the biggest differentiator. However, according to MIT Sloan, 81 percent of organizations don’t

Is It Safe? Growing with the Cloud

Oh no! Not again! Another massive data breach: 106 million individuals have their data stolen. This time it is from Capital One. All the data was located on Amazon Web Services cloud computing platform. Is the cloud safe?

We were told that adoption of cloud computing in its early days was slowed due to concerns about security. Now, we hear that a huge bank that has adopted the cloud with relish has had over a hundred million records lifted right off the cloud.  The story has been well covered in the press but here is a quick synopsis:

On June 18, Paige Thompson, a 33 year old former AWS employee who left in 2016 tweeted that she had posted Capital One customer information on her GitHub account. The bank had no knowledge of this for four months until another GitHub user contacted them through their tipster hotline and informed them of Thompson’s bragging.

Capital One followed the link provided by the tipster and found Thompson along with the huge breach. The FBI moved in and arrested Thompson. The Department of Justice has charged her with one count of computer fraud and abuse. The fraud is punishable by up to five years in prison and a $250,000 fine.

Amazon launched the Amazon Web Services cloud in 2006 amid a hail of criticism, both business and technical. The business pundits were all asking: what is a low margin, non-profitable retailer, doing in computing? The number one technical issue was security. Remember back then the whole computing industry was based upon on-premise hardware and software. If you used computing you could reach out and touch your IT infrastructure.

In cloud computing you buy virtual machines residing somewhere in one of AWS’ data center. This just terrified security experts of the time, not to mention management in general.

But AWS grew, and while we did not know it at the time, prospered (AWS financial results were not disclosed until 2015). By 2011 Netflix migrated its whole operation of now a 150 million subscribers on to AWS. It is a true power user and has freely released a ton of tools that optimize, protect and ensure operation continuity under its “Simian Army”.

AWS knew that if it wanted to grow big it needed to get the biggest companies and governments using its cloud and to do that it needed to ensure that the cloud was secure. Accordingly, it set out to build a large suite of AWS security tools and a network of “partners” (consultants and system integrators) that could successfully implement them.

Capital One began its move to the cloud in 2013. It very carefully established a governance structure, including detailed risk assessment and management. By 2015, Rob Alexander – Capital One’s CIO – was the keynote speaker at AWS’s annual big user/developer conference: “re:Invent” and Capital One was an AWS customer case study.

Capital One was not alone. By 2017, surveys were showing that IT professional recognized that security in the cloud was actually better than that in the old on-premise model.

So, how could the breach take place? AWS asserts that its cloud was not at fault and Capital One is backing them up. It looks like the hack was due mostly to the skills of AWS’s rogue former employee combined with lax security oversight by Capital One. Cloud security experts suggest that Thompson used a known cloud vulnerability called a Server Side Request Forgery (SSRF).

Server Side Request Forgery is an attack where a server can be tricked into connecting to a server it did not intend. If you are into the tech SSRF is more deeply explained in this article. The offerings of public clouds worsen the impact of SSRF, and the major players like AWS are not doing anything to fix it. Maybe we should take AWS’s claim of no fault with a grain of salt.

Just as importantly: why did it take Capital One so long to discover that the customer information had been breached? Why did Capital One’s IT supervisors not catch the error sooner? After all the hacker grabbed 30 Gigabytes of credit applications of over 100 million individuals. Didn’t anybody notice? What happened to Capital One’s vaunted cloud governance structure and operations?

The way we seem to be running IT is reminiscent of the Chernobyl disaster. There were failures in the design and from the people. So is the cloud safe? Welcome to the world of humans and their machines. The answer is: yes, as long as we address its known issues and run it properly. At least this breach won’t make us glow in the dark but it is time to freeze your credit – oh well, sigh!

By John Pientka

John Pientka

John is currently the principal of Pientka and Associates which specializes in IT and Cloud Computing.

Over the years John has been vice president at CGI Federal, where he lead their cloud computing division. He founded and served as CEO of GigEpath, which provided communication solutions to major corporations. He has also served as president of British Telecom’s outsourcing arm Syncordia, vice president and general manager of a division at Motorola.

John has earned his M.B.A. from Harvard University as well as a bachelor’s degree from the State University in Buffalo, New York.

View Website
Biometric Authentication

Passwords: More Secure Than Biometric Authentication?

Biometric Authentication Biometrics has long granted or denied access to secure things like premises and vehicles. Now it is being seriously considered for the same ...
Cloud Computing In Education

Cybersecurity Policies Must Address Internal Threats

Cybersecurity Policies The contentious U.S. election campaign offered up many highlights, but the aftermath of election night – explosive cyberattack allegations – provided even more ...
Bluejeans video SaaS

15 Promising Cloud-Based Video Conferencing Services

VIDEO CONFERENCING SERVICES The video conferencing services market is expected to reach US$ 6.40 Billion by 2020 from the current $3.31 Billion. However, there are also ...
Future Cybersecurity Challenges (5 Things To Expect)

Future Cybersecurity Challenges (5 Things To Expect)

Future Cybersecurity Challenges Every December, security experts begin to release their predictions on what future cybersecurity challenges will look like in the coming year. “The ...
Cisco News

Managing your SAP Digital Transformation Journey

Digital Transformation. We’ve heard the words, but have you wondered what it is all about? Digital Transformation is a strategic directive to redefine your business practices and processes to gain ...
IBM News

6 DataOps essentials to deliver business-ready data

Nearly every business is under competitive, disruptive, and regulatory pressures. As companies face digital transformation and modernization to meet their customers’  expectations, leveraging data and AI at the speed of business ...
The Verge

US gives Huawei another 90 days before full ban takes effect

The United States will once again delay a full ban on doing business with Huawei, saying that rural communications companies needed the extra time to switch their equipment away from ...