back to article McAfee says cloud security not as bad as we feared… it's much worse

The average business has around 14 improperly configured IaaS instances running at any given time and roughly one in every 20 AWS S3 buckets are left wide open to the public internet. These are among the grim figures rolled out Monday by researchers with McAfee, who say that security practice has not kept up with the rapid …

  1. John Doe 6

    We haven't because those Russian, Chinese, NSA hackers didn't want us to know and the corporations providing cloud services are afraid of saying anything just yet (people are still able to move back - in a couple of years we will be megafu***d and locked in the cloud). Wait a couple of years and the bubble will crack - the world as we know it will collapse - the cloud will be taken over - and everyone will say "WTF just happened ??"

  2. Anonymous Coward
    Anonymous Coward

    Define average

    According to McAfee, the average business uses around 1,900 cloud instances, but most of the companies they surveyed only thought they used around 30.

    Define average. I suspect that the word instance here is suffering from a severe case of mission creep to assist headline generation. If nothing else I bet that the thing that instance refers to in "1900 cloud instances" is not the same thing as the 30 instances that the companies know about.

  3. ecofeco Silver badge

    Well duh

    So... How's that cloud thing workin for ya?

    1. Anonymous Coward
      Anonymous Coward

      Re: Well duh

      So... How's that cloud thing workin for ya?

      More like how is that change-management/governance thing working out for ya?

    2. vtcodger Silver badge

      Re: Well duh

      Perhaps we should call it "The Fog" rather than "The Cloud". Visibility out there seems a bit obscured.

      1. Sir Runcible Spoon
        Coat

        Re: Well duh

        Isn't fog just a cloud at low altitude?

        1. Brewster's Angle Grinder Silver badge
          Coat

          Re: Well duh

          "Isn't fog just a cloud at low altitude?"

          So we need to make sure all our data centres are in orbit. That way we can sort the altitude problem and ensure we can clearly see all the instances we have.

          Mine's the spacesuit for the service call.

  4. Kevin McMurtrie Silver badge

    The number is low

    Count applications with obvious vulnerabilities and it's much, much worse. Some code monkeys can implement all of the OWASP Top Ten vulnerabilities in a day's work.

  5. Anonymous Coward
    Anonymous Coward

    So who's buying all these unsecured cloud instances?

    Just to set the stage, I'm a business user, not a techie. So I understand not wanting to wait on IT for some things that you can get through the cloud within your own business unit budget. However, I also understand the value of business and customer data.

    Who is buying all these instances? I don't know if BU people would buy lots of IAAS instances themselves, that is a little too technical for most BU users I know. Buying cloud storage maybe, but not really server time. Are there members of the IT team that are buying IAAS instances because they are cutting corners on provisioning services, without taking proper security and change management into account? Are coders buying these instances on their own, for Q/A and test & dev, also without properly securing their instances?

    Also, I find this bit about the average company having 1900 IAAS instances to be a bit fishy. Does a Dropbox account count as an instance? And define "average company". Is that the average publicly listed company? The average company that buys enterprise firewalls, log analysis or managed firewall/network security from McAfee and therefore provide data that McAfee uses to make these reports? Because companies that buy those bells and whistles are not "average" in any real sense of the word.

    1. big_D Silver badge

      Re: So who's buying all these unsecured cloud instances?

      The other question here is, why are these world read by default? Why do services like S3 even allow this, or at least ask "are you sure?", "are you really really sure?", "clicking Yes will cost you a minimum of 25,000,000€ under GDPR, do you want to continue?"

      In most of the companies I have worked for, it would be a disciplinary offence if an employee opened up a cloud account of any kind without authorization and without getting it properly security vetted, before putting any data in it.

      Heck, my current place of work makes it a disciplinary offence to use any cloud service.

      1. ILoveAWS

        Re: So who's buying all these unsecured cloud instances?

        S3 Buckets are Private by default.

    2. Pascal Monett Silver badge

      Re: Define average

      Indeed, when I read that 1900 figure I instantly thought "bullshit". I highly doubt that the 15-man garage in the village next to mine has any IaaS instance, let alone 1900 of them.

      So I went to download the report. The only mention of source I found was this :

      "based on a survey of over 1,400 IT professionals across 11 countries"

      No mention of company size, turnover range, anything. I suspect that McAffee did not bother publishing news of the survey on its web site, inviting people to answer their 100 questions. I suspect that McAffee carefully selected the companies they sent the survey to, which means that a) the company had to be big enough to attract McAffee's attention and b) it had to be big enough to have somebody willing and able to take the time to answer the survey.

      Your "average" less-than-20-employee shop does not have that kind of time and was certainly not represented in the survey.

      So I suspect that this "survey" represents the average 200-plus-employees companies that have a turnover of at least millions per month. It's certainly an average, but it is most certainly not the average company.

    3. SVV

      Re: So who's buying all these unsecured cloud instances?

      Could it be all the fools who mindlessly believed all the cloud hype they were deluged with, and thought " Ah yes, we too can cut costs by moving our servers to the cloud and getting rid of those expensive pesky sysadmin folk who always insisted on taking lots of time to everything and kept saying no when the developers asked for things....."

      No, the cloud will do all that difficult stuff for you, anyone can do it, anytime you want something just buy another VM!

      Now the new articles will start to appear, and you will find that the inexperienced people you got will not answer the questions they pose very well :

      "What's iptables?"

      "But the instructions said the password had to be set to yourpassword so I typed that in"

      "I put the root password on the intranet so everybody could log in and fix problems"

      etc, etc

    4. Sir Runcible Spoon

      Re: So who's buying all these unsecured cloud instances?

      Who is buying all these instances? I don't know if BU people would buy lots of IAAS instances themselves, that is a little too technical for most BU users I know

      A number of large companies I've worked for have departments that are run internally like mini-businesses, so they will fund a project for a cloud service and farm that out to an internal (or third party) design team.

      Those design teams are constrained by the brief, and budget. If someone (increasingly rare, but it still happens) tries to point out that to do what they want *securely* it will take 'x' more days and 'y' more money. I'm sure you can see where this is going.

      Of course, most of the time the techies* ensure they get their security objections noted in writing so that when they are ignored at least it doesn't come back on them.

      *Well, the ones** who have been around the block a bit do at any rate.

      **Also the ones who can see that 'the light at the end of the tunnel' means 'get off the tracks'.

      1. Charles 9

        Re: So who's buying all these unsecured cloud instances?

        "Also the ones who can see that 'the light at the end of the tunnel' means 'get off the tracks'."

        But usually, by the time you DO see the light, you're hemmed in by the tunnel walls and have no way to "get off the tracks" (not even up, due to the ceiling). And turning around, you discover ANOTHER light at the OTHER end of the tunnel. Stuck like that, "get off the tracks" isn't an option. At that point, all you can do is pray.

        1. Sir Runcible Spoon
          Angel

          Re: So who's buying all these unsecured cloud instances?

          "At that point, all you can do is pray"

          You're such an optimist :P

          1. Anonymous Coward
            Devil

            Re: So who's buying all these unsecured cloud instances?

            At that point, I grab the guy next to me on the tracks and sacrifice him to the dark gods of management, but then I may be crap co-worker...

        2. Doctor Syntax Silver badge

          Re: So who's buying all these unsecured cloud instances?

          "by the time you DO see the light"

          ....it's someone with a torch (flashlight) bringing you more work.

    5. Mr.Nobody

      Re: So who's buying all these unsecured cloud instances?

      "Are coders buying these instances on their own, for Q/A and test & dev, also without properly securing their instances?"

      Yes. Every time we turn around someone decided to launch more instances before they quit and told no one about it, let alone the teams responsible for picking up the pieces. Its hard to secure something when no one knows about it and doesn't want to turn it off because they don't know what it does.

      This is a governance issue, but I have yet to meet a developer or DevOps person that doesn't eschew any form of governance. Governance is a roadblock, slows down innovation, blah blah blah blah....

      1. Charles 9

        Re: So who's buying all these unsecured cloud instances?

        "This is a governance issue, but I have yet to meet a developer or DevOps person that doesn't eschew any form of governance. Governance is a roadblock, slows down innovation, blah blah blah blah...."

        Cave Johnson felt that way, too, IIRC (Yes, someone makes the signs IRL).

  6. Uncle Ron

    Jumble

    Either this article in general is full of confusing "averages" or the McAfee report was a totally fishy and confusing jumble of self-serving scare mongering not worth covering in El Reg. Which ?

    1. A.P. Veening Silver badge

      Re: Jumble

      How about both?

  7. yoganmahew

    FTFY

    "The recommendations for companies are fairly straightforward: McAfee says companies should NOT USE THE CLOUD!"

    Run for your lives, we're all doomed.

    1. Version 1.0 Silver badge

      Re: FTFY

      I would never put anything in The Cloud that I wouldn't put on a USB stick and leave in a public lavatory.

  8. akoepke

    "roughly one in every 20 AWS S3 buckets are left wide open to the public internet"

    Does that include buckets which are made public because that is their purpose? I manage 10 buckets and 3 of those are set for public read access. These are buckets containing website assets (mainly images) so no security issue.

  9. WibbleMe

    As a developer I run Node.js on my machine and any virus checker will flag the process up so I cant have any AV software on my machine, if anyone knows how to get around this then please let me know.

    1. Charles 9

      Is there any particular reason you MUST use Node.js, then? I would take the constant warnings as a sign to find another method, if not roll your own.

      1. WibbleMe

        Sure plenty of reasons, high end websites / ecommerce / user interfaces like facebook etc, mobile apps both Hybrids and Native types require Node.js so as a developer you would be running the code locally and editing it, pushing the changes to a git

  10. Anonymous Coward
    Anonymous Coward

    You can solve all these issues by....

    ... simply purchasing a McAfee Proxy, McAfee DLP, McAfee anti-virus, McAfee IPS, McAfee firewall. Of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: You can solve all these issues by....

      Getting people to buy more (preferably McAfee) security is of course the goal of this survey. "Cloud is dangerous! If only you had us by your side (for a very reasonable fee, of course), you would be so much safer!!" is a fair method of promoting McAfee's offerings.

      And yes, I can definitely see how poorly secured cloud instances can get out of control in the era of "I'm just going expense this at the end of the month. I'm already an Amazon Prime member, so I can totally get us a great deal on a few AWS instances, plus I get boucoup points using this credit card!"

      1. GrumpyKiwi

        Re: You can solve all these issues by....

        Exactly. It's McAfee. I'll pay more interest to the topic when it's someone competent instead of McAfee saying it.

  11. bingohighway

    Is this an advert or actual news?

    McAfee bought SkyHigh CASB right? Of course they'll say everyone has configured their IaaS wrong... All you need to do now is buy their product.

    And in other news:

    "Leading report from Dyson shows that people without vacuum cleaners have dirtier carpets..."

  12. The Sprocket

    Having worked in a number of corporate environments during my career, when I heard the ‘Rhodes Scholars’ in management squeal ‘cloud’ with glee around 2006 or so, I just knew this was going to be a disaster. It has been, but nobody wanted to listen. Fortunately, I’m retired, so these bumblefuks can enjoy their nightmare. I personally ‘cloud’ nothing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like