Colin Percival and Craig Balding on Amazon Cloud Security

If you're a security professional, it would be worth your time to read Craig Balding's post What’s New in the Amazon Cloud?: Security Vulnerability in Amazon EC2 and SimpleDB Fixed (7.5 Months After Notification), a summary and analysis of Colin Percival's post AWS signature version 1 is insecure. These posts demonstrate the changing nature of our jobs. We will become increasingly reliant on others hosting, processing, and ostensibly "protecting" our data, but our ability to measure the effectiveness of these services is likely to erode over time. In this case it sounds like Amazon.com worked slowly but very effectively with Colin, and their example should be followed.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Comments

xAAS is new enough that the usual legal frameworks are lagging by years. Receiving a reasonable security from the service provider is a business problem, best solved when signing a contract.

I would hope that SAS70-style attestation documents, along with some form of contracted SLA for remediation and notification processes would be a step into right direction.

Outsourced capacity could be beneficial, but it will not be a cure-all. The industry should look back at it's recent history, and re-read the lessons learned by the companies that have outshored their development/processing centers.

Those who have managed their new partners well had a chance to turn it into a competitive advantage, but most have failed to gain anywhere near projected benefits.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics