Mostly Cloudy: Yikes, Capital One
Editorial credit: Roman Tiraspolsky / Shutterstock.com
Welcome back to Mostly Cloudy! The Tuesday update is probably going to be a short link roundup most weeks, unless it’s a week in which one of the most prominent end-user advocates for cloud computing reveals that it was robbed by a former employee of the world’s leading cloud computing company.
This Week in Cloud: Buckets of Trouble
There’s a lot to unpack from Capital One’s stunning admission Monday evening that a former employee of Amazon Web Services stole the personal information of more than 100 million people from a customer’s S3 servers.
Paige Thompson, who worked for AWS’s S3 group for a little over a year before leaving in 2016, was arrested Monday by the FBI after posting about her exploits on GitHub, which is not really the best place to talk about crimes. The details are still a little fuzzy, but it looks like Thompson was able to take advantage of a improperly configured firewall protecting Capital One’s data on S3 and download massive amounts of personal information from people who had applied for credit cards as far back as 2005, according to KrebsOnSecurity.
The data was encrypted, as it should have been, and Capital One said most account numbers and Social Security Numbers were tokenized, where random numbers replace the real ones via a method that is separate from the encryption code. That’s good, because Thompson figured out a way to impersonate an authorized Capital One administrator and decrypt the data after she logged in with the proper access level in March 2019.
This incident could have been much worse, but it’s still really bad. Capital One is not just any AWS customer; the company has made its cloud computing strategy an important part of its marketing efforts over the last several years, appearing onstage with AWS executives several times at events to proclaim the power of their partnership and thought-leadering all over the place.
(Side note: Capital One emailed me ahead of AWS re:Invent last year [actual quote] pitching an interview with an executive about its cloud strategy, “which we rarely talk about.” Friends, I literally laughed out loud.)
Capital One took great pains to emphasize that the incident wasn’t the cloud’s fault, arguing (correctly) that it still could have totally screwed up the firewall configuration settings if it was running its own servers. All cloud customers are familiar with the “shared responsibility” security model, which AWS (via the New Stack) describes this way:
But if one of the earliest and most enthusiastic users of AWS cloud services can fall victim to a configuration error that exposed so much personal data, it’s a little scary to think about all the companies who have moved into the cloud over the last few years without nearly as much internal tech expertise as Capital One.
And an even more scary possibility: what if Thompson used knowledge about customer firewall configuration practices on S3 obtained during her short time at AWS to facilitate this attack? To be very clear, after looking into everything I could uncover on this incident over the last 24 hours, there doesn’t appear to be any evidence suggesting that’s the case.
Insider attacks are the stuff of cybersecurity nightmares. Several internet and social media companies have been forced to deal with employees who improperly accessed user data, including Google, Uber, and Facebook.
Cloud providers are light-years ahead of the average Fortune 500 company (not to mention small or medium-sized businesses) when it comes to cybersecurity, but as more and more corporate data moves into the cloud, one compromised individual could wreak havoc at an unprecedented scale. That might already be the case: several other companies are now investigating whether or not Thompson gained access to their data using her attack method.
Let’s give credit where credit is due. Capital One responded very quickly after first learning about its configuration problems, and the cloud-first strategy likely made verifying and analyzing this incident much easier.
But it’s a humbling moment for a cloud computing stalwart, and a reminder that cloud providers will only become bigger and bigger targets for criminals as more and more valuable data moves into their orbit.
Around the Cloud
Dark emerges from stealth with unique ‘deployless’ software model (Techcrunch)
This is interesting! It’s hard to imagine that too many companies are going to put all of their software deployment eggs in a startup’s basket, but Dark might be on to something with a model that facilitates one of the trickier parts of software development. On a sad note, “deployless” is a word that hurts my brain.
Microsoft acquires BlueTalon, simplifying data privacy and governance across modern data estates (Microsoft)
Digital Life These Days feels like the equivalent of driving a car before seat belts were mandatory: sure, you can do it, but good luck out there. That’s starting to change as new privacy laws take effect in Europe and gain traction in the U.S., and BlueTalon could give Microsoft Azure customers some additional tools to protect their customer data.
Google becomes third major cloud vendor to tie the knot with VMware (The Register)
VMware’s resilience at the dawn of the cloud computing era will probably be a business school case study one of these days. The data center stalwart once viewed cloud computing as an existential threat, but has successfully positioned itself as the hybrid cloud partner of choice, adding a partnership deal with Google this week after forging a ground-breaking friendship with AWS years ago and a similar deal with Microsoft earlier this year.
Satya Nadella Cheated at ‘Civilization,’ Now He Wants to Conquer Cloud Gaming: A Q&A With Microsoft’s CEO (Fortune)
Domination Victories should be easier, IMHO. (Civilization Image)
Microsoft unveiled what appeared to be a hastily conceived partnership with Sony earlier this year, and CEO Satya Nadella revealed a few more details about that deal over the weekend in an interview with Fortune. Top-tier console or PC games are basically the last form of software that people still buy as a physical product, and at some point soon games will be a SaaS product just like everything else. (Who else would pay to watch Nadella, Tim Cook, Larry Page, Jeff Bezos, and Mark Zuckerberg play a game of Civilization?)
The People With Power at Google Cloud (The Information)
When will The Information launch a tech recruiting service? A new version of one of its org charts is out detailing how new Google Cloud CEO Thomas Kurian is remaking the division with an emphasis on enterprise sales talent.
Updating Gartner’s cloud IaaS evaluation criteria (Lydia Leong)
The Magic Quadrant gets the headlines, but Gartner’s evaluations of public cloud infrastructure service providers (if you’re a client, of course) go into way more detail. Lydia Leong shared the thinking behind a re-evaluation of many of Gartner’s criteria for ranking cloud service providers, and one factor jumped out at me: “Expectations are significantly higher than in previous years.”
