{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

Amazon is not just the kingpin of online retail. Increasingly, thanks to Amazon Web Services (AWS), the Seattle-based company is at the center of many companies' clouds.

The rise of AWS is impressive, and Amazon owes much of its success to the breadth and depth of its cloud platform, which is used by hundreds of thousands of customers, large and small. 

It's not always easy for Amazon, however. In the world of cloud computing, when it rains, it pours, and Amazon has fallen victim to several high profile outages this year.

And now one of the most popular products in the AWS family, Amazon Elastic Cloud Compute (EC2), is coming under fire from researchers who claim that many of the Amazon Machine Images (AMIs) that are made available to EC2 customers are home to security vulnerabilities and malware. Forbes' Andy Greenberg details:

Researchers at France’s Eurecom technology institute, Northeastern University and the security firm SecludIT ran automated scanning tools on more than 5,000 of the virtual machines images published on Amazon’s catalog of virtual machines set up with preset software and configurations and ready to run on Amazon’s Elastic Compute Cloud (EC2) service.

The results, which the team plans to present a paper at the Symposium on Applied Computing next March, aren’t pretty: 22% of the machines were still set up to allow a login by whoever set up the virtual machine’s software–either Amazon or one of the many other third party companies like Turnkey and Jumpbox that sell preset machine images running on Amazon’s cloud. Almost all of the machines ran outdated software with critical security vulnerabilities, and 98% contained data that the company or individual who set up the machine for users had intended to delete but could still be extracted from the machine.

Amazon's response? EC2 customers have complete control over the AMIs they make available publicly, and customers who use those AMIs are responsible for their use of them. To be sure, this response is a fair one.

While it's somewhat disturbing to think about the risks created by AMIs laden with vulnerabilities, malware and personal data, it's important to recognize that the ability to publicly distribute AMIs, and use AMIs offered by other customers, is for convenience. The AMIs do not come with any guarantees and competent customers should know this.

There is one key takeaway, however: the cloud is increasingly putting power in the hands of individuals who may not be equipped to use it. For many companies, the system administrator is a thing of the past.

After all, if you no longer have a farm of collocated servers and your developer is capable of firing up new servers on demand through cloud platforms like Amazon's, why pay to keep a sysadmin on staff or contract?

The reality, of course, is that not all developers and individuals tasked with building systems in the cloud have the expertise they really need.

A developer, for instance, might have no problem setting up a development environment on a Linux EC2 server, but does he or she know how to secure it, or check to make sure that the AMI used is free from malware? And what happens when your developer thinks he's doing the community a favor by publicly sharing an AMI, but forgets or doesn't know how to remove your most confidential data?

At the end of the day, the apparent prevalence of dangers lurking in Amazon AMIs is a result of the same thing that led to so many high-profile websites going down for the count when one Amazon AWS region failed: companies believing that developers can and should do everything now that they're in the cloud.

In most cases, developers can't do everything and those companies that ask their developers to play the role of system architect or system administrator will inevitably learn this the hard way.

Patricio Robles

Published 9 November, 2011 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2391 more posts from this author

Comments (1)

Avatar-blank-50x50

Matt Illston

Good points raised here - I think maybe it unfairly targets Amazon, as most cloud systems, and in fact most dedicated servers, VPSs and often some shared hosting servers aren't patched to the latest level, have old, unsupported versions of web server and Operating Systems and are left for the customer to update.

The key here is the ease at which these new, individual virtual servers in the cloud are so easy for non sys-admins to set up and not much more expensive than the old shared solutions. At least with the shared solution you (should) get the patches applied for you...

Often cloud servers come bundled with CMS software, name server software, GUIs for managing the server, mail relaying software and so on which means that the end user just needs to play with the point and click admin interface to get things going, but might not realise it needs regularly updating.

Maybe Amazon and other cloud solutions, Rack Space for example, should make more of their (more expensive) managed solutions, and people signing up should realise that if they are not a sys-admin, then cheap is not always cheerful!

almost 5 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.