So now that it appears the Internet Apocalypse is over and we can all return to life as we know it, (assuming we ever left ) then our weary eyes can turn once more to the ever-fresh subject of cloud security.
The recent angst and horror over in Washington (state) suggests that regardless of whether we know what cloud security is, the real question is who owns it?
Researchers recently discovered that large (and by large, I really mean very, very large ) amounts of information have been left lying around in Simple Storage buckets that are public, rather than private. And while it’s possible that some of those are intentionally left public – or possibly even most of them – it’s hard to imagine that 126 billion files (yes, really) were left intentionally visible for the whole world to see. It’s not even difficult to see what buckets are available for public review.
So whose fault is it?
Is this a case of Amazon not adequately protecting their users? Perhaps simply a case of caveat emptor? A bit of both?
In the end, it all depends where you stand on these matters. Amazon is pretty clear on who owns security here (and as a hint to readers, it’s not them). So if a customer uploads their files and leaves them open to have their names reviewed and potentially even read, then I think Amazon could feasibly argue that it’s the customer’s decision and responsibility.
In fact, the Amazon security team has already gone above and beyond to warn users and offer advice on what to do.
Like many things, the practice is never as clean as the theory. Because cloud storage services, like a lot of other cloud services, do not necessarily reside in the sole domain of well trained IT and security professionals. In fact, as more information moves to the cloud, the risk that well-intentioned but uninformed users will accidentally spill the beans on something sensitive just continues to grow.
Remember, even file names can disclose a lot of information, especially in highly regulated worlds like healthcare. For example, file names that include a patient’s name can and will be considered PII and get you into HIPAA-related hot water.
And while your average clinician may not be putting files in Simple Storage buckets, the principle applies to every storage space in the cloud. While it may seem like a great idea to put those files up there and share them, how many business users really understand ACLs? Furthermore, how many will have the time to go back and make sure that access to information is revoked when it’s no longer needed, or confirm that it was appropriate in the first place?
The world of cloud offers oceans of untapped opportunity. Some of those opportunities will offer organizations ways to perform faster, smarter and better, but they also come with opportunities to crash badly in publicly ways.
In either case, it seems, you won’t be on your own for long.