Warning to UK Public Sector about leaky Amazon Web Services

Amazon Web Services (AWS) are currently in the news for all the wrong reasons.  Their Simple Storage Servers (S3) – known as ‘buckets’ – have been successfully targeted by hackers.  The AWS servers have been found to be alarmingly leaky, enabling the new Buckhacker search engine tool to readily access unsecured sensitive data.

AWS, as one of the UK Government’s chosen cloud service providers (GOV.UK PaaS) runs from AWS in Ireland (a UK-based hosting centre is planned for 2018) and is accredited for handling personal and confidential information classified at ‘Official’ level.

Users are able to search either by ‘bucket’ name, which may typically include the name of the company or organisation using the server, or by filename. The service collects bucket names, grabs the bucket’s index page, analyses the results and stores it in a database for others to search.  There are other tools like AWSBucketDump and according to the hackers exposed buckets can also be trawled for rich pickings with a specific Google Search.

Created by anonymous hackers, a Buckhacker developer commented:  “The purpose of the project is to increase the awareness on bucket security, too many companies were [sic] hit for having wrong permissions on buckets in the last years”.

Clearly, it is in the public sector’s interests not to risk exposure of any sensitive data (theirs or the public’s) and thus a prime consideration for any public sector organisation is to scrutinise the credentials, security performance and sovereignty badge protections of their chosen cloud provider.  Public sector organisations struggle to find funding in already tight IT budgets to defend against cyber attack, but with so many different lines of attack facing them, IT managers are having to take a risk-based approach to identify where to allocate their limited funds.

Amicus ITS Director of Technology, Security & Governance JP Norman commented:   It is worth remembering that the security of the data, no matter where it resides is the responsibility of the Data Controller in each organisation. There are ways to provide security assurance in the cloud layer that conform to the basics of Cyber Essentials. Furthermore, the right partner organisation, such as Amicus ITS, can act as a cloud broker providing proven security assurance recommendations and actions to mitigate such risks.

At Amicus ITS, we are happy to challenge the status quo as we brand ourselves are the safe pair of hands for our customers.  So with any digital transformation journey we will ensure intelligent, joined up thinking to ensure our Security and Governance views chime with those of our technical architects and sales professionals.

Alibaba secures US foothold as part of its global strategy

Following the building of its first datacentre in the US, as first announced in our blog of 10th November 2014, Chinese e-commerce company, Alibaba, has launched an Infrastructure as a Service (IaaS) cloud offering called Aliyun in the US. The company offers a range of IaaS cloud services including elastic compute, storage databases, content delivery, security and analytics products.

This is all part of a long term globalisation strategy to create data centres in Europe, Asia and the Middle East.  In the fourth quarter of 2014 Aliyun reported revenues of $147 million. So far Alibaba has been targeting Chinese enterprises in the US, but confirmed it is setting its sights on America’s largest ecommerce company, Amazon and its cloud computing division Amazon Web Services in the longer term to attract US business.  Alibaba’s cloud computing President, Simon Hu said, “We strongly believe our products and services can not only tap into demand from Chinese companies, but also serve overseas clients who run international businesses”.  By building up relationships with US hosting partners in Silicon Valley in recent weeks, Alibaba has taken a real step closer to achieving its early goals by gaining this foothold in the States.

Both companies are dominant in their respective markets for ecommerce and IaaS and the race is on now as each targets the others core customer base. However, both companies face a significant challenge in overcoming the natural suspicions of each nation towards the other on the topic of security.  Despite China being the world’s richest economy (having shipped US$1.623 trillion worth of goods around the globe in 2014, up by 48.5% since 2010), data control is a very different beast to sell in contrast to electronics, manufacturing and clothes.

Amazon along with Microsoft has sought to enter the Chinese cloud market, but legal regulations are making it difficult for both of them.  Alibaba for its part, had to develop datacentres outside China, if it was to argue against accusations of interference and controls from the Chinese government. However, given the speed of its economy’s growth in the last decade there is clearly significant opportunity in the world market for Chinese businesses to use Alibaba.

China-based Forrester cloud analyst Frank Liu believes this niche position of Alibaba’s having a China-centric customer base (going global), could prove compelling as China’s economy continues to expand.   This heritage may yet prove a difficult pill for US customers to swallow though. With only one week since the mass ‘cyber intrusion’ of 4 million US public sector workers (which security experts believe could only have originated from China or Russia), the thorny issue of trust within the data community will remain at the top of the agenda.

aliyun-logo