The vulnerabilities allow attackers to manipulate or compromise web services or virtual infrastructure. Researchers at the center were able to extract data such as passwords, cryptographic keys, and certificates from virtual machines.
“The main reason lies in the careless and error-prone manner in which Amazon’s customers handle and deploy AMIs”, the center said in a release. While security experts focus on the security aspects of the underlying cloud infrastructure and provider, many threats originate from the way cloud customers construct and use the cloud services, it explained.
“The problem clearly lies in the customers’ unawareness and not in Amazon Web Services. We believe that customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations”, said researcher Ahmad-Reza Sadeghi.
Poor security practices by cloud services customers is pervasive, noted cloud security provider Dome9.
“There are a lot of unintended consequences from the migration to the cloud”, said Dave Meizlik, vice president of marketing at Dome9. “Organizations are trading risk for the opportunity that the cloud presents. That risk is security.”
Meizlik observed that the two greatest inhibitors to cloud adoption are security and availability. “Those two are tied together. If you have a server in the cloud and it becomes infected or is attacked, it is unavailable for service.”
Meizlik told Infosecurity that the cloud challenges the traditional view of information security, which is perimeter based. “However, a fundamental tenet of the cloud is that there is no perimeter.”
One practice that poses particular risk to organizations is leaving ports open in order to remotely access and manage their information on the cloud. “When organizations move their development servers outside their perimeter into the cloud, they quite often use the same security policies and procedures” as if the servers were on-premise, Meizlik explained.
“This means that ports are left open….because they need access to those machines. Without the ports being open, it is difficult to connect and manage the infrastructure that is outside the perimeter. So there are a lot of servers that are left unsecure.”
Meizlik said that all a hacker needs to gain access to those servers is to guess the user name and password.
Dome9 offers a firewall-management-as-a-service that is designed for cloud infrastructure. The product scales as elastically as the infrastructure in the cloud, Meizlik explained. “It allows you to keep all of the ports closed by default. So even though your server is in the cloud and you need to be able to connect to it, instead of having to have the ports open, you can keep them closed.”
The Dome9 product has the ability to dynamically open and close the ports and allow access by a specific administrator to a specific location for a specific period of time. Once that time expires, the port is automatically closed, Meizlik said. “This lets security administrators take back security in the cloud”, he added.