Every Cloud Needs a Silver Lining

Gilad Parann-Nissany

Subscribe to Gilad Parann-Nissany: eMailAlertsEmail Alerts
Get Gilad Parann-Nissany: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Cloud Computing, Security Journal

Blog Post

AWS and Security Issues By @GiladPN | @CloudExpo [#Cloud]

One mistake AWS users make is losing control of the data by ‘allowing Amazon or a third party to control their encryption keys’

Using AWS and Solving All Security Issues

The Amazon Web Services public infrastructure cloud is seeing massive adoption, and for good reason. Using AWS arms companies with advanced infrastructure that, in most cases, they could not possibly achieve in their own datacenters. In fact, According to Gartner, AWS has 5 times more deployed cloud infrastructure as their next 14 competitors have...combined.[1] Customers like Bristol-Myers Squibb, Unilever, and Lionsgate are taking advantage of the broad and deep services of the AWS Cloud to grow their businesses and accelerate innovation.[2]

However, using any public cloud infrastructure still requires proper implementation, especially as regards security concerns; this is true for AWS as much as anyone. An IDG Enterprises survey of 1,500 companies found that two-thirds of IT decision makers see security as the primary barrier to cloud adoption.[3] We asked real companies about the top cloud security mistakes made on AWS and found that many users rely too much on AWS and do not do their own due diligence as it pertains to their own cloud security. These experts revealed what they think are the top cloud security mistakes on the attached infographic.

One of the main mistakes AWS users make is losing control of their data by "allowing Amazon or a third party to control their encryption keys."

Dennis King, of Working Security, agrees that not taking ownership of security is a major mistake. He adds that "Amazon provides security capabilities, but without clear security ownership by the customer, even existing in-house security practices can be overlooked and create significant risk."

If fact, in their own Security Center, Amazon informs customers of the "Shared Responsibility Model." According to AWS, they have secured the underlying infrastructure and done so quite well with security features like:

  • Built-in firewalls
  • Multi-factor authentication
  • Private Subnets
  • Security logs
  • And much more

However, it is the responsibility of each customer to secure anything they put on that infrastructure. They clarify, "This includes your AWS EC2 instances and anything you install on them, any accounts that access your instances, the security group that allows outside access to your instances, the VPC subnet that the instances reside within if you've chosen this option, the external access to your S3 buckets, etc."[4]

Dr. Engin Kirda of Northeastern University and Lastline shares that "the top security mistake made on AWS may still be failing to securely delete sensitive information like passwords... before sharing virtual images..." Dwayne Melancon of Tripwire adds that it is a huge mistake to let hackers benefit from automation by "leaving AWS login credentials in publically readable scripts."

Jeff Huckaby of rackAID shares that the main security issues are those of improper AWS setup. Ari Zoldan of Quantum Networks agrees and adds the need to update AWS setup regularly, "what customers should do is check ‘resource utilization' frequently and then change their setup accordingly."

Danny Gueta of SysAid Technologies and Tal Klein of Adallom both cite major security issues in administrative privileges. Mr. Gueta encourages customers to protect their root user and Mr. Klein urges customers not to make every admin a "Super Admin."

To summarize the advice of all of the experts is to say that while using AWS may be a great move both technically and from a business perspective, it does not mean that you are no longer liable or responsible for security. While securing the infrastructure is a critical task that falls on Amazon, securing your data, apps, and sensitive information is still up to you.

Resources:

  1. Gartner: Amazon still public cloud leader by a long shot
  2. http://aws.amazon.com/resources/gartner-mq-2014-learn-more/
  3. http://www.idgenterprise.com/report/idg-enterprises-cloud-computing
  4. http://aws.amazon.com/security/
  5. Porticor Infographic: Cloud Security Mistakes Made on AWS

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.