3 Comments

Summary:

The latest kerfuffle about alleged vulnerabilities in Amazon Web Services’ Amazon Machine Images is little more than a tempest in a teapot, according to security experts. Their takeaway is basically that stupid users with bad computing practices get what they deserve.

3406853888_2a934e1019_z

The latest kerfuffle over reported vulnerabilities in Amazon Machine Images  is a tempest in a teapot, according to security experts.

Recent reports described the issue in florid terms. One headline characterized Amazon servers as “teeming with backdoors.” An Amazon Machine Image — or AMI —  is a preconfigured package of the operating system and virtual application software used to build a virtual machine in the Amazon Elastic Compute Cloud, or EC2. AMIs are the basic units of deployment for EC2 services.

Stories about potential security vulnerabilities strike a chord as more companies consider moving more of their IT workloads to public cloud infrastructure run by Amazon, Rackspace and others.

Security experts said this is more of a people problem than a technology issue in that some people deploying AMIs leave passwords, SSH keys and other data that should be locked away, unattended. That flies in the face of Amazon’s recommended practices and makes AMIs vulnerable to hackers.

The message from security experts was clear: Stupid users get what they deserve.

“If someone’s practices are poor enough to embed credentials in AMIs and upload [them] as public, then it’s a big deal,” said Chris Hoff, the senior director and security architect at Juniper Networks.

Anyone who bothers to read Amazon’s documentation will know better than to leave these artifacts laying around. It’s the first or second thing Amazon warns people about, said Carl Brooks, a cloud computing analyst with Tier1 Research. The bigger problem is that despite all the warnings and documentation, people do it anyway.

Last June, GigaOM Pro analyst Paul Miller wrote about these issues (subscription required), saying that in general, users have poor security practices whether they are working on AWS or on their own company’s servers.

Do those users think it’s Amazon’s responsibility to ensure security? Does Amazon lead those users to think that they are absolved of responsibility? There is no suggestion that this behavior makes Amazon Web Services itself less secure, although Amazon does have the problem of dealing with the resulting negative press from any attack.

In general, this AMI issue may be old news, but as more users weigh a move into cloud computing, stories about security vulnerabilities — whether they are vendor or user induced — will crop up again.

Photo courtesy of Flickr user Evil Erin

  1. In general I agree with these comments though the stupid user can’t really control these problems due to the appealing cloud provisioning tools. The option to set the AMI to be public is just a “click away”. Security management as the overall cloud management involve a higher complexity due to the fast changes hence an extreme large amount of new additional data. We develop a product that helps finding these type of problems by analyzing the big data the intensive cloud usage generates. You are welcome to submit a request to try it out on Newvem.com

    Ofir.
    @iamondemand

    Share
    1. it’s also kind of a risky strategy for any company to blame its troubles on “stupid” users. Not that Amazon is saying that itself.

      Share
  2. I think the real problem here is our concept of authentication. The only password you should ever need to memorize is the one that logs you in to your identity provider – the technology to delegate it from there already exists.

    Share

Comments have been disabled for this post