{"id":9897,"date":"2017-10-16T06:30:19","date_gmt":"2017-10-16T14:30:19","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/16\/news-3670\/"},"modified":"2017-10-16T06:30:19","modified_gmt":"2017-10-16T14:30:19","slug":"news-3670","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/10\/16\/news-3670\/","title":{"rendered":"Don\u2019t be the fool in the cloud"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2017\/10\/the_fool-100738916-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Steven J. Vaughan-Nichols| Date: Mon, 16 Oct 2017 07:23:00 -0700<\/strong><\/p>\n<p>When I hear people worrying about cloud security, they\u2019re usually shaking in their boots about some obscure bug beyond their control. Ha! Ordinary, stupid human mistakes are more than bad enough.<\/p>\n<p>For example, <a href=\"http:\/\/www.zdnet.com\/article\/accenture-left-a-huge-trove-of-client-passwords-on-exposed-servers\/\" rel=\"nofollow\">Accenture left hundreds of gigabytes of private user and corporate data on four unsecured Amazon Web Services (AWS) S3 cloud servers<\/a>. The data included passwords and decryption keys. What did you need to dig into this treasure trove? The servers\u2019 web addresses.<\/p>\n<p>That\u2019s all. No user ID, no password, no nothing.<\/p>\n<p>Adding insult to injury, according to Chris Vickery, director of cyber-risk research at security firm <a href=\"https:\/\/www.upguard.com\/\" rel=\"nofollow\">UpGuard<\/a>, <a href=\"https:\/\/www.accenture.com\/us-en\/new-applied-now\" rel=\"nofollow\">Accenture<\/a>\u2019s revealed data included its <a href=\"https:\/\/aws.amazon.com\/kms\/\" rel=\"nofollow\">AWS Key Management System (KMS)<\/a> master keys. With those, an attacker could have also taken control of all the company\u2019s encrypted AWS data.<\/p>\n<p>Can you say, \u201cBad?\u201d I knew you could.<\/p>\n<p>So repeat after me: \u201cI will give every public-facing cloud resource under my control a user ID and a password.\u201d<\/p>\n<p>It\u2019s not so hard, right? But way too many companies aren\u2019t getting even that much right.<\/p>\n<p>According to a survey from <a href=\"https:\/\/redlock.io\/\" rel=\"nofollow\">RedLock<\/a>, a public cloud security company, \u201c53% of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had inadvertently exposed one or more such services to the public.\u201d<\/p>\n<p>Worse still, \u201cit appears that this is trending upwards despite growing awareness about the risks of misconfigurations; earlier in May this number was 40%.\u201d<\/p>\n<p>This is preposterous. Have we forgotten everything we ever learned in Security 101? Or, perhaps I should ask, \u201cDid we ever really know how to secure services and data?\u201d<\/p>\n<p>I\u2019m beginning to believe we didn\u2019t. Our half-assed security methods may have worked when we weren\u2019t putting our resources on the cloud or in internet-facing services. But our mistakes are no longer hidden within our data center; they\u2019re out in the world for anyone to see \u2014 and hack.<\/p>\n<p>I\u2019m <a href=\"http:\/\/www.zdnet.com\/article\/equifax-ceo-admits-responsibility-starts-at-the-top-for-devastating-data-breach\/\" rel=\"nofollow\">looking at you, Equifax<\/a>. Thanks to your total lack of security and system administration sense, <a href=\"http:\/\/www.zdnet.com\/article\/data-breaches-highlight-how-social-security-number-has-to-be-phased-out-for-blockchain-biometrics\/\" rel=\"nofollow\">Social Security numbers, our default U.S. national ID number, have been rendered worthless<\/a>.<\/p>\n<p>One thing that hasn\u2019t been mentioned much in the Equifax fiasco is that the company also hadn\u2019t encrypted its data. Is your cloud data encrypted? According to the Redlock study, \u201c64% of databases in the public cloud are not encrypted.\u201d<\/p>\n<p>Oh, come on, people! Encrypt your data already. Make it a little harder for thieves to ransack it, please!<\/p>\n<p>OK, so Accenture, a, quote, leading global professional services company, end quote, was full of idiots. And Equifax will go down in the history books for allowing one of the all-time worst security failures. But your company\u2019s fine. Right? Right!?<\/p>\n<p>Do yourself a favor. Run a basic security audit. Keep in mind, as Accenture didn\u2019t, that AWS, Google Compute, Microsoft Azure and all the other major public cloud players provide you with infrastructure as a service, not security as a service. Ultimately, it\u2019s <a href=\"https:\/\/insights.hpe.com\/articles\/how-to-secure-data-across-multiple-platforms-1704.html\" rel=\"nofollow\">up to you to secure your data, not your cloud provider<\/a>.<\/p>\n<p><a href=\"https:\/\/www.computerworld.com\/article\/3233289\/cloud-computing\/don-t-be-the-fool-in-the-cloud.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2017\/10\/the_fool-100738916-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Steven J. Vaughan-Nichols| Date: Mon, 16 Oct 2017 07:23:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p>When I hear people worrying about cloud security, they\u2019re usually shaking in their boots about some obscure bug beyond their control. Ha! Ordinary, stupid human mistakes are more than bad enough.<\/p>\n<p>For example, <a href=\"http:\/\/www.zdnet.com\/article\/accenture-left-a-huge-trove-of-client-passwords-on-exposed-servers\/\" rel=\"nofollow\">Accenture left hundreds of gigabytes of private user and corporate data on four unsecured Amazon Web Services (AWS) S3 cloud servers<\/a>. The data included passwords and decryption keys. What did you need to dig into this treasure trove? The servers\u2019 web addresses.<\/p>\n<p>That\u2019s all. No user ID, no password, no nothing.<\/p>\n<p>Adding insult to injury, according to Chris Vickery, director of cyber-risk research at security firm <a href=\"https:\/\/www.upguard.com\/\" rel=\"nofollow\">UpGuard<\/a>, <a href=\"https:\/\/www.accenture.com\/us-en\/new-applied-now\" rel=\"nofollow\">Accenture<\/a>\u2019s revealed data included its <a href=\"https:\/\/aws.amazon.com\/kms\/\" rel=\"nofollow\">AWS Key Management System (KMS)<\/a> master keys. With those, an attacker could have also taken control of all the company\u2019s encrypted AWS data.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3233289\/cloud-computing\/don-t-be-the-fool-in-the-cloud.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11064,714],"class_list":["post-9897","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-cloud-computing","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9897","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9897"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9897\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9897"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9897"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9897"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}