We haven't because those Russian, Chinese, NSA hackers didn't want us to know and the corporations providing cloud services are afraid of saying anything just yet (people are still able to move back - in a couple of years we will be megafu***d and locked in the cloud). Wait a couple of years and the bubble will crack - the world as we know it will collapse - the cloud will be taken over - and everyone will say "WTF just happened ??"
McAfee says cloud security not as bad as we feared… it's much worse
The average business has around 14 improperly configured IaaS instances running at any given time and roughly one in every 20 AWS S3 buckets are left wide open to the public internet. These are among the grim figures rolled out Monday by researchers with McAfee, who say that security practice has not kept up with the rapid …
COMMENTS
-
Tuesday 30th October 2018 01:41 GMT Anonymous Coward
Define average
According to McAfee, the average business uses around 1,900 cloud instances, but most of the companies they surveyed only thought they used around 30.
Define average. I suspect that the word instance here is suffering from a severe case of mission creep to assist headline generation. If nothing else I bet that the thing that instance refers to in "1900 cloud instances" is not the same thing as the 30 instances that the companies know about.
-
Tuesday 30th October 2018 04:10 GMT Anonymous Coward
So who's buying all these unsecured cloud instances?
Just to set the stage, I'm a business user, not a techie. So I understand not wanting to wait on IT for some things that you can get through the cloud within your own business unit budget. However, I also understand the value of business and customer data.
Who is buying all these instances? I don't know if BU people would buy lots of IAAS instances themselves, that is a little too technical for most BU users I know. Buying cloud storage maybe, but not really server time. Are there members of the IT team that are buying IAAS instances because they are cutting corners on provisioning services, without taking proper security and change management into account? Are coders buying these instances on their own, for Q/A and test & dev, also without properly securing their instances?
Also, I find this bit about the average company having 1900 IAAS instances to be a bit fishy. Does a Dropbox account count as an instance? And define "average company". Is that the average publicly listed company? The average company that buys enterprise firewalls, log analysis or managed firewall/network security from McAfee and therefore provide data that McAfee uses to make these reports? Because companies that buy those bells and whistles are not "average" in any real sense of the word.
-
Tuesday 30th October 2018 08:29 GMT big_D
Re: So who's buying all these unsecured cloud instances?
The other question here is, why are these world read by default? Why do services like S3 even allow this, or at least ask "are you sure?", "are you really really sure?", "clicking Yes will cost you a minimum of 25,000,000€ under GDPR, do you want to continue?"
In most of the companies I have worked for, it would be a disciplinary offence if an employee opened up a cloud account of any kind without authorization and without getting it properly security vetted, before putting any data in it.
Heck, my current place of work makes it a disciplinary offence to use any cloud service.
-
Tuesday 30th October 2018 08:59 GMT Pascal Monett
Re: Define average
Indeed, when I read that 1900 figure I instantly thought "bullshit". I highly doubt that the 15-man garage in the village next to mine has any IaaS instance, let alone 1900 of them.
So I went to download the report. The only mention of source I found was this :
"based on a survey of over 1,400 IT professionals across 11 countries"
No mention of company size, turnover range, anything. I suspect that McAffee did not bother publishing news of the survey on its web site, inviting people to answer their 100 questions. I suspect that McAffee carefully selected the companies they sent the survey to, which means that a) the company had to be big enough to attract McAffee's attention and b) it had to be big enough to have somebody willing and able to take the time to answer the survey.
Your "average" less-than-20-employee shop does not have that kind of time and was certainly not represented in the survey.
So I suspect that this "survey" represents the average 200-plus-employees companies that have a turnover of at least millions per month. It's certainly an average, but it is most certainly not the average company.
-
Tuesday 30th October 2018 09:47 GMT SVV
Re: So who's buying all these unsecured cloud instances?
Could it be all the fools who mindlessly believed all the cloud hype they were deluged with, and thought " Ah yes, we too can cut costs by moving our servers to the cloud and getting rid of those expensive pesky sysadmin folk who always insisted on taking lots of time to everything and kept saying no when the developers asked for things....."
No, the cloud will do all that difficult stuff for you, anyone can do it, anytime you want something just buy another VM!
Now the new articles will start to appear, and you will find that the inexperienced people you got will not answer the questions they pose very well :
"What's iptables?"
"But the instructions said the password had to be set to yourpassword so I typed that in"
"I put the root password on the intranet so everybody could log in and fix problems"
etc, etc
-
Tuesday 30th October 2018 10:07 GMT Sir Runcible Spoon
Re: So who's buying all these unsecured cloud instances?
Who is buying all these instances? I don't know if BU people would buy lots of IAAS instances themselves, that is a little too technical for most BU users I know
A number of large companies I've worked for have departments that are run internally like mini-businesses, so they will fund a project for a cloud service and farm that out to an internal (or third party) design team.
Those design teams are constrained by the brief, and budget. If someone (increasingly rare, but it still happens) tries to point out that to do what they want *securely* it will take 'x' more days and 'y' more money. I'm sure you can see where this is going.
Of course, most of the time the techies* ensure they get their security objections noted in writing so that when they are ignored at least it doesn't come back on them.
*Well, the ones** who have been around the block a bit do at any rate.
**Also the ones who can see that 'the light at the end of the tunnel' means 'get off the tracks'.
-
Tuesday 30th October 2018 12:04 GMT Charles 9
Re: So who's buying all these unsecured cloud instances?
"Also the ones who can see that 'the light at the end of the tunnel' means 'get off the tracks'."
But usually, by the time you DO see the light, you're hemmed in by the tunnel walls and have no way to "get off the tracks" (not even up, due to the ceiling). And turning around, you discover ANOTHER light at the OTHER end of the tunnel. Stuck like that, "get off the tracks" isn't an option. At that point, all you can do is pray.
-
-
Tuesday 30th October 2018 12:33 GMT Mr.Nobody
Re: So who's buying all these unsecured cloud instances?
"Are coders buying these instances on their own, for Q/A and test & dev, also without properly securing their instances?"
Yes. Every time we turn around someone decided to launch more instances before they quit and told no one about it, let alone the teams responsible for picking up the pieces. Its hard to secure something when no one knows about it and doesn't want to turn it off because they don't know what it does.
This is a governance issue, but I have yet to meet a developer or DevOps person that doesn't eschew any form of governance. Governance is a roadblock, slows down innovation, blah blah blah blah....
-
Wednesday 31st October 2018 15:34 GMT Charles 9
Re: So who's buying all these unsecured cloud instances?
"This is a governance issue, but I have yet to meet a developer or DevOps person that doesn't eschew any form of governance. Governance is a roadblock, slows down innovation, blah blah blah blah...."
Cave Johnson felt that way, too, IIRC (Yes, someone makes the signs IRL).
-
-
-
-
Tuesday 30th October 2018 09:29 GMT akoepke
"roughly one in every 20 AWS S3 buckets are left wide open to the public internet"
Does that include buckets which are made public because that is their purpose? I manage 10 buckets and 3 of those are set for public read access. These are buckets containing website assets (mainly images) so no security issue.
-
-
Tuesday 30th October 2018 16:16 GMT Anonymous Coward
Re: You can solve all these issues by....
Getting people to buy more (preferably McAfee) security is of course the goal of this survey. "Cloud is dangerous! If only you had us by your side (for a very reasonable fee, of course), you would be so much safer!!" is a fair method of promoting McAfee's offerings.
And yes, I can definitely see how poorly secured cloud instances can get out of control in the era of "I'm just going expense this at the end of the month. I'm already an Amazon Prime member, so I can totally get us a great deal on a few AWS instances, plus I get boucoup points using this credit card!"
-
-
Wednesday 31st October 2018 08:46 GMT bingohighway
Is this an advert or actual news?
McAfee bought SkyHigh CASB right? Of course they'll say everyone has configured their IaaS wrong... All you need to do now is buy their product.
And in other news:
"Leading report from Dyson shows that people without vacuum cleaners have dirtier carpets..."
-
Wednesday 31st October 2018 13:00 GMT The Sprocket
Having worked in a number of corporate environments during my career, when I heard the ‘Rhodes Scholars’ in management squeal ‘cloud’ with glee around 2006 or so, I just knew this was going to be a disaster. It has been, but nobody wanted to listen. Fortunately, I’m retired, so these bumblefuks can enjoy their nightmare. I personally ‘cloud’ nothing.