Note from Tom June 3: I received an email from an AWS spokesman yesterday that disagreed with the statements in this post. Over the next few days, I'll work with AWS and Dick Brooks to figure out whether any of the statements below are wrong. I'll put out a post when this is done, hopefully next week.
I’ve been carrying
on a number of good email conversations with Dick Brooks of Reliable Energy Analytics, who
has been dealing with software vulnerabilities and malware since the mid-80’s.
In one of them he mentioned some things he’d discovered when he moved his
product to the AWS cloud platform. In his words:
Amazon’s PAAS offering is called EC2.
This is where you’re given a choice of platforms to choose, which form the
basis of your operating environment. In my case I chose the most up to date
offering, which is a Linux platform running Python 3.6. NOTE: this version of
Python is 2 releases behind the current offering, 3.8. I could upgrade to the
latest version of Python after selecting the platform, but that requires me to
perform the upgrade.
The default web server that
automatically starts on the platform has no protection. I received a deluge of
web vulnerability attempts from lots of different IP addresses, which I had to
guard against.
I don’t know about other cloud
offerings, e.g. SalesForce which offers SAAS solutions, but I can say without a
doubt that I had to take security and upgrades into my own hands on Amazon’s
EC2 PAAS offering.
Of course, the fact that Amazon’s
customers need to take security into their own hands isn’t a surprise to most
of us. I discussed that in my posts prompted by the Capital One breach last
year, including this
one. But it’s certainly worrisome that they don’t even bother to take the step
of putting minimal protections on the default firewall that comes with their
PaaS solution, or that they don’t have the current version of Python running
(which would presumably have the most recent security updates), in that
solution.
The problem
is that questions like this are probably not asked in FedRAMP, yet these are
omissions that could come back to bite the Amazon customer. Where is that
customer going to learn about problems like this? Note that this isn’t a
question of whether the customer will use Amazon or not – it’s a question of how
they can learn about the problems beforehand, rather than after they’ve been
hacked.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment