What do you make out of recent reports claiming vulnerabilities in Amazon's AMI?

SilverHawk

I've seen a couple of articles claiming that there are security vulnerabilities and backdoors. Clearly security is one major concern companies have with moving to a public cloud model. Amazon is such a huge player and has a pretty decent security history. Are these concerns about AMI well founded or bogus?

Answer this Question

Answers

2 total
jimlynch
Vote Up (15)

Hi SilverHawk,

GigaOm had an article about and seemed to feel it was overblown, according to certain experts.

Amazon AMI vulnerabilities overblown, experts say
http://gigaom.com/cloud/amazon-ami-vulnerabilities-overblown-experts-say/

"Stories about potential security vulnerabilities strike a chord as more companies consider moving more of their IT workloads to public cloud infrastructure run by Amazon, Rackspace and others.

Security experts said this is more of a people problem than a technology issue in that some people deploying AMIs leave passwords, SSH keys and other data that should be locked away, unattended. That flies in the face of Amazon’s recommended practices and makes AMIs vulnerable to hackers.

The message from security experts was clear: Stupid users get what they deserve."

nbetolli
Vote Up (12)

I looked at one of the articles making these claims earlier this week, and to use your term, I think they are booooogus!  It looks like most of the issues arise from people not following security best practices.  If you leave passwords and sensitive information "laying around" unsecured and unencrypted and someone takes advantage of it, I don't see how that is Amazon's fault.  I have seen so many instances of guidelines and procedures not being followed at companies large and small that I am not really surprised that some people are sloppy when they should be more cautious. 

Ask a question

Join Now or Sign In to ask a question.
SAP is buying business-travel and expense software vendor Concur for about US$8.3 billion, in a bid to continue growing out its portfolio of cloud-based applications.
It's the end of an era at Oracle, as CEO Larry Ellison has been appointed executive chairman and CTO of the vendor, with co-presidents Safra Catz and Mark Hurd named co-CEOs.
Dropbox makes a series of improvements to its datastore API, including shared datastores, local datastores, and better webhooks.
Partnership will load Canonical's OpenStack on AMD's SeaMicro servers.
Microsoft is poised to release a major update to its Dynamics CRM and marketing applications in a bid to gain market share against rivals such as Salesforce.com.
Journalists, nurses and plumbers are among those who drink more coffee than people in technology
With new funding, the Israeli company opens U.S. offices.
With its purchase of Metacloud, if customers want an OpenStack private cloud, Cisco's got a nice hardware and software combination to sell.
In a move that could prove unpopular with IT administrators, Google has granted rights to end users of its Apps workplace email and collaboration suite to install third-party software from the company's Google Apps Marketplace.
Privately held Metacloud provides OpenStack-as-a-service for global enterprises.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+