What do you make out of recent reports claiming vulnerabilities in Amazon's AMI?

SilverHawk

I've seen a couple of articles claiming that there are security vulnerabilities and backdoors. Clearly security is one major concern companies have with moving to a public cloud model. Amazon is such a huge player and has a pretty decent security history. Are these concerns about AMI well founded or bogus?

Answer this Question

Answers

2 total
jimlynch
Vote Up (13)

Hi SilverHawk,

GigaOm had an article about and seemed to feel it was overblown, according to certain experts.

Amazon AMI vulnerabilities overblown, experts say
http://gigaom.com/cloud/amazon-ami-vulnerabilities-overblown-experts-say/

"Stories about potential security vulnerabilities strike a chord as more companies consider moving more of their IT workloads to public cloud infrastructure run by Amazon, Rackspace and others.

Security experts said this is more of a people problem than a technology issue in that some people deploying AMIs leave passwords, SSH keys and other data that should be locked away, unattended. That flies in the face of Amazon’s recommended practices and makes AMIs vulnerable to hackers.

The message from security experts was clear: Stupid users get what they deserve."

nbetolli
Vote Up (9)

I looked at one of the articles making these claims earlier this week, and to use your term, I think they are booooogus!  It looks like most of the issues arise from people not following security best practices.  If you leave passwords and sensitive information "laying around" unsecured and unencrypted and someone takes advantage of it, I don't see how that is Amazon's fault.  I have seen so many instances of guidelines and procedures not being followed at companies large and small that I am not really surprised that some people are sloppy when they should be more cautious. 

Ask a question

Join Now or Sign In to ask a question.
Many business users say they're fed up with what they perceive as sluggish IT departments, but cringe at the thought of outsourcing to a managed services provider. However, the rise of BYOD, consumer tech and cloud computing may be clearing a path for change.
But the more Microsoft pushes change, the more enterprises will resist.
Amazon Web Services has increased the number of simultaneous queries its hosted data warehouse Redshift can handle, improving performance in cases where many small queries are now forced to wait.
Salesforce.com recently celebrated its 15th year in existence, and as the SaaS (software-as-a-service) vendor races toward US$5 billion in revenue its influence on the industry is being felt more than ever. At the same time, some signs indicate that Salesforce.com is having a few growing pains, as well as showing some trappings of the mega-vendors it once mocked with its "End of Software" marketing campaign.
Mainframe operators using BMC software may now be able to enjoy the speedy, devops-style development pace that is quickly becoming the norm for customer-facing mobile applications and Internet services.
Mobile office suite Polaris Office now offers a cloud option for storing your documents. But in all the metrics that matter--price, privacy, and functionality--you'd be better served by passing it by.
Some cloud storage providers who hope to be on the leading edge of cloud security adopt a "zero-knowledge" policy in which vendors say it is impossible for customer data to be snooped on. But a recent study by computer scientists at Johns Hopkins University is questioning just how secure those zero knowledge tactics are.
In today's accessible technology roundup: Google wants to embed cameras in contact lenses, Apple gets a patent for a new GUI for touch devices to improve accessibility and a hacker develops a virtual cane for the blind
Borrowing a page from the recently revised Microsoft playbook, development tools maker Telerik has released as open source the bulk of its Kendo software library of components for building Web and mobile applications
Although Exadata is Oracle's most popular and mature "engineered system," some customers implementing the database machine are making mistakes that prevent them from getting the most performance out of the expensive product, according to a veteran of many Exadata projects.