Recent major headlines have included a troubling data breach at leading financial institution Capital One. A closer look at the incident exposed that a hacker was able to access a part of Capital One’s Amazon Web Services infrastructure and remove data – including sensitive information for millions of consumers. This incident is a stark reminder that while public cloud infrastructure like AWS has been game changing, the need for rigorous change and configuration management by clients of public cloud remains a major responsibility. Let’s review that division of ownership/responsibility in more detail.
Shared Responsibility Model
AWS operates via what it calls the shared responsibility model. In summary, the management of security “of the cloud” falls to Amazon and security “in the cloud” falls on the clients – in this case, Capital One. As Amazon puts it, “the shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.” That last piece is exactly where Capital One fell down.
Amazon’s published documents makes the division of responsibilities clear. Identity & Access Management and Firewall Configuration is clearly delineated a customer responsibility and that is exactly where Capital One was exploited.
While AWS does an amazing job of providing infrastructure that is cost effective, modern and highly available, it is important for your organization to have the proper controls in place for configuration management in the cloud.
For support with your own configuration management or questions about security, please contact Superior Technology at 845-735-3555 or online at www.superiortechnology.com.
Comments are closed.