A poorly designed feature in Amazon’s Web Services platform could present a security risk for developers or programmers that are new to the cloud, according to a cloud computing consultant.
Jonathan Siegel, CEO and founder of Santa Barbara, Calif.-based ELC Technologies, said the issue stems from the AWS Web console, which gives users the option to make their online backup snapshots — similar to a tape backup — public or private. The default setting is private, but some users are mistakenly checking off public, and publishing secure data to the world.
Siegel, who also serves as a member of Amazon’s European Advisory Board, said he realized other users were inadvertently publishing sensitive data while recently performing a routine cleanup of his own AWS account.
“I went to pull out my backup from Amazon and what I saw wasn’t just my backup,” he said. “I had access to 200 other backups.” The backup snapshots included a database of 800,000 users from an e-card Web site and a host of Web files from a news media site.
Siegel said he quickly alerted both Amazon and the businesses who inadvertently disclosed their data to his discovery.
The AWS service is an “infrastructure Web services platform in the cloud” geared toward developers and Web administrators. Common use cases include Web and application hosting, backup and storage, databases, e-commerce, and other media hosting needs.
While users are given a clear option as to whether or not they want to take their data public, Siegel said with many developers and programmers signing on with AWS, these users are faced with issues typically geared toward system administrators.
“You would never put these two boxes beside each other in your data centre,” he said, referring to the private/public option.
To remedy the situation, he would like to see Amazon force users to create a separate account if they want to take their data public.
“The whole feature should be removed for the average AWS user,” he said. Siegel estimated that usage of the “public” option is probably close to one per cent.
In an e-mail response to ComputerWorld Canada, AWS spokesperson Kay Kinton said Amazon customers have asked us for the ability to share their backup snapshots publicly.
“In general we have found that users understand this feature very well as this is no different than users explicitly choosing to share their data by any means,” she said. “That said, we have updated our documentation to provide more explicit guidance on this feature.”
Siegel would also like to see Amazon give users a second set of credentials for their accounts. This would come in handy, he said, for users who want to experiment with live and staging versions of their site.
“Because you’re limited by this public cloud constraint of having one set of credentials that you use to manage, multiple teams end up using the same credentials on multiple products,” Siegel said.
Whether or not Amazon will heed Siegel’s advice remains to be seen, but cloud security is certainly an issue that isn’t going away for the company anytime soon. During a keynote speech at last month’s Cebit conference in Germany, Amazon Web Services CTO Werner Vogels said companies with customer-facing Web systems should adopt cloud services immediately.
The CTO also said he wants to end the misconception that AWS exists to sell the company's excess server capacity.
“There is a myth out there that when Christmas comes, suddenly, all of the foundations under your building will be gone ... that is obviously not the case,” said Vogels last month.
– With files from Mikael Ricknäs, IDG News Service (Stockholm Bureau)
