Getting tired of these ALL CAPS hysterical headlines. The Register is looking more and more like the Daily Mail of IT journalism.
Crypto boffins uncover rogue task risk on Amazon cloud
Security researchers have unearthed a flaw in Amazon Web Services that created a possible mechanism for hackers to take over control of cloud-based systems and run administrative tasks. The flaw, which affected Amazon's EC2 cloud and has already been plugged, could have been abused to start and stop virtual machines or create …
-
-
Thursday 27th October 2011 13:46 GMT dlc.usa
You Bet Your Business
I submit no organization's working component is more likely to terminate that organization's very existence than its aggregate IT component. Any CxO that doesn't understand that overarching risk should not have his/her position because, sooner or later, that organization will be bitten hard as a consequence of underfunding the crucial areas of IT, with security at the top of the list followed by loyalty and competency of the key IT employees. Competent IT employees will never buy Brand X because nobody ever got fired for doing so--to decide on such a basis demonstrates incompetency. Competent IT employees do their homework and well consider the major big picture risks of all possible choices.
I expect a lot of incompetent CxOs are going to be exposed as these cloud security lapses multiply.
-
Thursday 27th October 2011 21:50 GMT ed 8
NO
In-housing all IT is akin to keeping your money in a box under your bed. Does your company keep all its cash in a safe in the basement? no, it keeps it in a bank, so why does it do the same with its data and IT systems. Sure Amazons data center and infrastructure are going to be a big juicy target for hackers just like banks get robbed.Like banks they have some pretty significant security investment for that reason. Read the pysical security section on this document
http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf
Can you honestly say that your organisation has such safeguards. 12 years working with IT departments across the UK has taught me that almost all organisations are utterly hopeless at security.
"oh yeah the password is adm1n or passw0rd..? what do you men 60 bits of entropy? i cant rember it so i put it on this postit and emailed it to my hotmail"
At least EC2 goes some way to enforcing security best practice with ssh keys and such but you people will still leave themsleves wide open.
So im sure there will be high profile breaches and outages.. its inevitable but the direction and the cost case is set in stone. the internet is just about good enough now that you can stick your IT sytems "over there" and they will work just great, and its cheaper and more secure so happy days, quit bitchin and make sure your CV is nice and up to date.
-
-
Thursday 27th October 2011 21:57 GMT SiliconSlick
OK... that gets us to EC3 (which is worth one upvote for a hint)...
but what gets us to the "EC4 authentication systems" mentioned in the article? I'm still trying to figure out that one.
@+++ath0.... indeed... "could have" and "TAKEN OVER" is quite yellow -- journalistically speaking. . I guess the vultures covered their arse with the "could have" bit, but, still, Amazon might have reason to... oh, I dunno (IANAL)... be unhappy. (???)
I will say this... as an individual about to embark on some benchmarking of AWS EC2 clusters now that they've fixed the Placement Groups problem[*], the headline certainly got my attention. After reading the article, I'll take my chances. But some corporate beancounter at some point will just read the headline and cross Amazon's AWS off the list of cloud "solutions" (resulting in a loss of revenue for Amazon... etc.etc.).
SS (not sure he would maintain a permanent presence using EC2, but would certainly keep it in the toolbox for prototyping and scalability testing... and quite curious what "EC4" is about)
[*] https://forums.aws.amazon.com/thread.jspa?threadID=78069
-
Wednesday 2nd November 2011 15:12 GMT Sirius Lee
A CIOs task is...
...to help the company make profit.
Like all management jobs its a balancing act. There is no right answer. If your competitors use an IT service (any IT service) and as a result are able to provide product faster/cheaper/better than you what are you going to do? Pray that the competitor is hacked to show their decision was flawed?
Of course not, you have to do the same or better or risk your job. The balance is between risk and reward just as it is for all the other execs. When the CFO hedges a corporate position that hedge may fail and the company lose money. When the COO tries a new manufacturing technique it may fail and the company lose money.
It is ridiculous to suggest that CIOs should have perfect foresight or be absolutely risk averse. If you've invested in a company with a massively risk averse IT operation sell or you are likely to lose some or all of your investment.