What price security?
Why are huge companies with $billions skimping on security and storage costs and dumping data into the "cloud"? Storage is cheap. Much cheaper than the costs of a leak or even just the bad PR.
Media monster Viacom has been caught with its security trousers down. Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company's IT systems. The data store, found by Chris Vickery, director of Cyber Risk Research at security shop …
Because developers always want to work with the latest shiny-shiny, and they tell their clueless PHBs that the best way is "cloud", and it all goes from there.
I've known several developers make technical decisions purely on the basis that the experience gained would look good on their CV, without any regard for the impact of their choice on the organisation itself.
Your answer is ...........
It is 'quick and simple' to do and therefore so is 'Security'. [or so it seems.]
Until it all goes 'pear shaped', cost is not really an issue vs ease of implementation.
Later, the 'ease' and 'simplicity' is examined a little more !!! :)
Overpaid people who are lazy and don't really understand what all the 'Security' nonsense is all about.
Not a problem as it doesn't impact their pay or bonuses ....... [yet !!!]
When there is a problem you can issue a 'Standard letter' proclaiming your great concern for the customers and their 'lost' information but be assured the problem is being fixed and will not happen again ..... [We hope !!!]
Just to make sure the company can 'sack' a few Techies and their managers to demonstrate they are being serious ...... [this time !!!]
Any of this sound familiar ??!!!
'Why are huge companies with $billions skimping on security and storage costs and dumping data into the "cloud"? Storage is cheap. Much cheaper than the costs of a leak or even just the bad PR.'
Because their clueless managers have been reading about how much more efficient and economical the Cloud than the old fashioned "stuff"
They might well be paying major-league digital agencies to run their digital services and devops, but those companies are mostly offshoring everything in order to maximise profits. The end result is that you get a contractor in Bangalore who "knows something about DevOps" and thus you end up with this situation.
Sadly this will not be the last case, has certainly not been the first and I daresay that there have been much worse (and kept hidden) cases than this which have resulted in data loss, user hijacking and fully compromised company security.
"Why are huge companies with $billions skimping on security and storage costs and dumping data into the "cloud"?"
This is not a cloud storage vs server storage issue. Badly configured storage is just as likely to happen on either. Sloppy security is sloppy security, whether on a client desktop, in your server room, on a hired VM, or on a enterprise cloud.
This is not a cloud storage vs server storage issue. Badly configured storage is just as likely to happen on either.
I disagree.Most on-prem or managed storage is looked after by someone with clue, who can fend off the stupidities that cause this sort of leak. If a developer wants a database to be hosted, then it's done in a managed fashion, and access is granted with proper consideration of security consequences. In most cases external access from the internet is never required.
Cloud storage with one of the megalithic suppliers encourages developers who want to host a database to just stick stuff on it, and if they can't immediately access it, they turn off the default security, as it's not their problem. External access from the internet is inevitable in this model, and to properly lock it down requires clue. No-one with clue is involved in the process.
Better (for the rest of the planet) would have been to copy the data far and wide so that Viacom took a huge hit. If the company had a large financial hole as a result of its poor security then other companies might actually think about security. (And if it collapsed then the loss of Comedy Central would not be a big loss to mankind!!!)
- Once Viacom became aware that information on a server – including technical information, but no employee or customer information – was publicly accessible, we rectified the issue. -
Uhm, did they fix the leak, or just added the missing employee/customer data?
The way it scans, it almost reads like leaving that out was the problem.
We would like to thank Mr Chris Vickery for finding this glaring error of ours and pointing it out to us so we could save our company from total annihilation. We would like to pay Mr Vickery's company for his efforts, and we hereby pay him the grand sum of $1000 (one millisecond's worth of our profits).
"no material impact" or "rectified the issue"
The only way to really rectify the issue (from the technical perspective) is to change everything that has been exposed (keys, passwords, maybe even server names). From a management perspective, there's even more work to do to prevent even a partial repetition.
As far as I can tell, the majority of these discoveries show data that was expected to be protected by Amazon's security which is a totally wrong security posture to start with.
If you are going to store critical corporate data outside the door, you damn well encrypt it before it even passes said door - such data should not be one mistake away from disclosure. But hey, that takes too much effort, apparently.
was expected to be protected by Amazon's security
Exactly. People are used to the idea that they can put anything they want on an on-premises system, and the corporate security bods will make sure it's safe. Move to the cloud, and they assume the cloud provider will do that, which of course they won't. Having your corporate environment in the cloud doesn't make it any less your responsibility to protect it, but of course that spoils the message that cloud is cheap because "someone else does everything" so the consultants will never mention it.
This bucket nonsense is getting so ridiculous that I just did a search on Google for: list aws bucket breaches
If anyone's started a list of companies with open buckets of treasure, I didn't find it--at least not one that's high in the search.
I'd start one myself, but I'd rather see El Reg. do it. Otherwise, Wikipedia might be a nice place for that.
Anyway, I did find a nice Rapid7 article on how they found 1,951 open buckets.
Biting the hand that feeds IT © 1998–2019