Recently it was reported that attackers are installing DDoS bots on Amazon Cloud. It would seem that these days, the cloud seems to be getting quite a bad reputation when it comes to security issues, but in reality, it’s largely the laziness of users that gets them into these situations. Amazon Web Services (AWS) is very transparent on what the customer needs to protect, but people seemingly either don’t listen or can’t be bothered.
James Brown, director of solution architecture EMEA at Alert Logic, expands further on the customer’s responsibilities in this particular situation and what they can do to keep their applications secure:
“Depending on the hosting platform the customer will be responsible for some or all of the applications security. AWS is very clear in stating that customers are responsible for keeping their application software up to date and goes into some level of detail on the ‘Shared Security Model’ that it uses.
AWS provides a very secure infrastructure base that a customer can build upon, however customers have to take the responsibility of securing the applications that run on the AWS platform, this is not something that AWS can do for you. In this case it appears that an old version of a popular open source search engine server had a known vulnerability which has been exploited. Keeping software up to date is a critical component of security, as well as running security software that is native to cloud environments to help detect and prevent breeches. With its rapid provisioning model, scalability and monthly consumption model; cloud security can be far cheaper and easier to run than people realise.
The victims of these attacks could have been hosted on any cloud platform, hosted services or even on-premise – if you run applications with known vulnerabilities in them, you are running a huge risk. This is not an AWS issue; it is an issue for whoever administers those servers. With the shared security model that cloud platforms provide, it is vital that customers use tools like Intrusion Detection Systems, Vulnerability Detection, Web Application Firewalls and Log Management to build upon the security that their provider is giving them. These services are all available in the cloud, and can even be backed by a managed 24x7 security service so that the customer does not need to hire those skills internally.”