Thoughts on Cloud Governance, Part 1

Last week Rapid7 posted an interesting analysis of the Amazon S3 storage system: Apparently roughly one out of six S3 buckets (a bucket is, simply said, a kind of folder) is accessible without any authentication mechanism. Accessing those files, the Rapid7 guys were able to download a wide range of data, also comprising confidential information such as source code or employee information, comparable to past research for other platforms (see also this presentation I gave on some of the biggest Cloud #Fails)

While I have a similar opinion like Gartner’s Kyle Hilgendorf and think this is clearly not Amazon’s fault as all buckets/files are per default non-public (there were quite some sources blaming Amazon for poor “security”), there are relevant lessons to be learned (once again):

  • Most probably your organization is already using “the Cloud” — in one way or another. We have meetings/workshops where the question “Do you use any Cloud services?” is raised on a regular base. Typically most people answer in a way like “No, not yet. But we think about it.” until someone raises his hand and admits “well, for this or this particular system absolutely not processing sensitive data we use $CLOUD_SERVICE”.
  • As you (or your departments ;), aka “the business”) are using it anyways, prepare for it: If you have to deal with it, deal with it in a structured and well-governed way instead of suddenly realizing that your data is “referenced to” in reports like the one mentioned above.

I don’t think that additional tools like this or this solve “Cloud security” problems. They can provide some support, but they can never replace the development of your own Cloud strategy and governance. I admittedly wrote often that this Cloud strategy (e.g. here & here) must challenge old security models and take architectural Cloud changes into account, but never laid out how these models and changes look like — so there will be a longer post on this in the (near) future 😉

Stay tuned & take care,