Interesting Example of Cloud Computing Risks

One of the aspects of the move to cloud computing I find most interesting is the new and emergent risks that come with the move of services from a traditional networked IT environment, to being hosted “out in the open” of the cloud.

Whilst attention gets paid to some of the technical risks, I don’t think there’s been a lot of focus on some of the more procedural/human aspects of it.

One example is the visibility/effect of configuration mistakes. In a traditional IT environment, mistakes can be partially contained by the network perimeter (albeit that containment is usually weaker than it used to be).

If someone makes an access control change which allows anonymous access to data, that mistake is likely only to be exploitable and visible to a limited group of people.

With the move to Cloud computing though, that same mistake could be instantly visible to the whole world and all it’s attacker communities.

A really good example of this comes up in a vulnerability found by Jonathan Siegel (background story here and here).

In essence the problem seems to be that users of Amazon Web Services have made access control errors which set disk snapshots to be publicly available to everyone in a given region, and in the examples Jonathan gives this has included a database of user accounts for a web service and a full copy of a news services’ web site.

So what would have likely been a relatively minor access control issue in an Internal network setup, becomes a situation where all the data in question should be considered compromised.

*** This is a Security Bloggers Network syndicated blog from Rory.Blog authored by Rory2. Read the original post at: