Thursday, December 18, 2008

Colin Percival and Craig Balding on Amazon Cloud Security

If you're a security professional, it would be worth your time to read Craig Balding's post What’s New in the Amazon Cloud?: Security Vulnerability in Amazon EC2 and SimpleDB Fixed (7.5 Months After Notification), a summary and analysis of Colin Percival's post AWS signature version 1 is insecure. These posts demonstrate the changing nature of our jobs. We will become increasingly reliant on others hosting, processing, and ostensibly "protecting" our data, but our ability to measure the effectiveness of these services is likely to erode over time. In this case it sounds like Amazon.com worked slowly but very effectively with Colin, and their example should be followed.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

1 comment:

Marcin Antkiewicz said...

xAAS is new enough that the usual legal frameworks are lagging by years. Receiving a reasonable security from the service provider is a business problem, best solved when signing a contract.

I would hope that SAS70-style attestation documents, along with some form of contracted SLA for remediation and notification processes would be a step into right direction.

Outsourced capacity could be beneficial, but it will not be a cure-all. The industry should look back at it's recent history, and re-read the lessons learned by the companies that have outshored their development/processing centers.

Those who have managed their new partners well had a chance to turn it into a competitive advantage, but most have failed to gain anywhere near projected benefits.