Rob Alexander is CIO of Capital One and was very proud of his move to AWS
http://t.co/ix9TamNPAW here is one of his slides touting the his efforts.
“We can provide higher security with AWS than with our own data centers”
They are developing new mobile and web apps to connect to your bank account
“Mobile is the new Wallet” was in the 7min video of Rob Alexander at invent2015.
As a counterpoint … I found the following Slides from the Bsides Vienna conference:
Here is official Amazon wording on support page:
“No matter how carefully engineered the services are, from time to time it may be necessary to notify customers of security and privacy events with AWS services. We will publish security bulletins below.”
Most interesting slides from Bsides:
So AWS is set in a 10.0.0.0/16 VPC (Virtual Private Cloud)
there are no broadcasts or multicasts and no IPv6 yet.
The key with AWS is the IAM or Identity Access Managment.
users are managed in Groups
AWS services are assigned Roles
Policies define permissions
S3, EBS, RDS,…
Transparent Key management
Technologies and AWS account per team
OAuth for internal and external communicaiton
Now we get the actual security incidents on AWS (from Bsides)
I also found some headlines from this Code Spaces failure:
All we need is to look at the first sentence in the article”A code-hosting service that boasted having a full recovery plan has abruptly closed after someone gained unauthorized access to its Amazon Web Service account and deleted most of the customer data there.” to know that there was a major failure of a “backup” company on the cloud.
There are plenty of articles on how Code Spaces failed to live up to its own marketing message:
In this article we find out what happened:
“However, the issue was much larger than a sustained DDoS. In fact, the reason they were able to contact the attacker in the first place is because they left contact details within Code Spaces’ Amazon EC2 control panel.”
The DDoS was a part of the attack, but not the main attack. And once the attack was being noticed and mitigated the attackers continued with their mischief:
“Code Spaces moved to regain control over their Amazon accounts, but the attacker had already taken steps to prevent this.The intruder created backup log-ins on the EC2 panel and when recovery efforts were noticed, they started to delete artifacts at random. ”
And this is my favorite quote (albeit obvious)…
In a statement, Patrick Thomas, security consultant for Neohapsis, said that for companies using cloud services as part of their business, “this is the nightmare scenario.”
But unfortunately Code Spaces was not the only company:
Again the AWS cloud main account was compromised and the following happened:
“The person(s) used our account to order hundreds of expensive servers, likely to mine bitcoin or other cryptocurrencies.”
(If one loses the main controlling account access this can happen easily)
there is much more to the DrawQuest failure: http://chrishateswriting.com/post/74083032842/today-my-startup-failed Chris Poole has a blog that discussed the failure of DrawQuest as a startup.
His words from the blogpost link above: “It may seem surprising that a seemingly successful product could fail, but it happens all the time. Although we arguably found product/market fit, we couldn’t quite crack the business side of things.”
It is interesting that Chris Poole did not mention the hack that helped fail his startup: http://chrishateswriting.com/post/84931829578/when-a-bad-day-gets-worsegetting-hacked-twice-in from a previous post.
they made significant architectural errors in devising the app. Apparently not enough (if any) security testing.
And this is the final nail in coffin: “To make an already long story short, when leaving the company a few months ago, one of our developers asked to open source a project he had worked on. You can probably already guess where this is going, but suffice it to say he did so by flipping the existing repository to public.”
When a developer does such a boneheaded move he basically killed the company. (my words).
One more company (unfortunately):
Notice the Incident report mentioned the compromise of an API key.
So we know if your defense is dependent on IAM (Identity Access Management), but also internal design of an app can cause security problems.
This concept of testing the applications for security must be drummed into everyone.
Contact Us to help you explain this.