Who is responsible for protecting the information that users store "up in the clouds"? ;) Some recent participants in a discussion related to alleged security vulnerabilities in the AMIs (Amazon Machine Images) offered through Amazon Web Services have suggested that the customer is always wrong.
What started the conversation was an article at Forbes that casts the situation at Amazon in dire terms based on the findings of a team of researchers who used automated scanning tools to search 5,000 AMIs for vulnerabilities and malware:
The results, which the team plans to present a paper at the Symposium on Applied Computing next March, aren’t pretty: 22% of the machines were still set up to allow a login by whoever set up the virtual machine’s software–either Amazon or one of the many other third party companies like Turnkey and Jumpbox that sell preset machine images running on Amazon’s cloud. Almost all of the machines ran outdated software with critical security vulnerabilities, and 98% contained data that the company or individual who set up the machine for users had intended to delete but could still be extracted from the machine.
Does this mean that Amazon has some serious explaining to do? Maybe. Maybe not. Forbes' report is strongly oriented around alleged problems in Amazon's platform and what Amazon is (or isn't) doing to fix them. Patricio Robles at Econsultancy, however, raises a counter-point:
There is one key takeaway, however: the cloud is increasingly putting power in the hands of individuals who may not be equipped to use it. For many companies, the system administrator is a thing of the past.
After all, if you no longer have a farm of collocated servers and your developer is capable of firing up new servers on demand through cloud platforms like Amazon's, why pay to keep a sysadmin on staff or contract?
The reality, of course, is that not all developers and individuals tasked with building systems in the cloud have the expertise they really need.
Barb Darrow at GIGOM agrees, though she doesn't put it in quite the same words. Sure, services like Amazon's AWS might be creating situations in which non-systems administrators are doing something similar to administrating systems, but Amazon has instructions for people who want to know how to use their product safely, and so some security experts are pointing the finger at users who ignore them.
Security experts said this is more of a people problem than a technology issue in that some people deploying AMIs leave passwords, SSH keys and other data that should be locked away, unattended. That flies in the face of Amazon’s recommended practices and makes AMIs vulnerable to hackers.
The message from security experts was clear: Stupid users get what they deserve.
What do you think? Is there something more that Amazon could/should be doing to moderate the use of its EC2 services?
This doesn't really address another problem, one which was also pointed out in the Forbes article, namely that "it would be possible to publish a server image in Amazon’s catalog with the intent of infecting the user with malware or exploiting a backdoor to steal information." Amazon's response to this issue was that they just provide the platform; what third party companies do with it isn't their concern.