Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE

To prevent disasters like the Capital One hack from happening again, experts say Amazon Web Services could do more to protect customers from themselves

Andy Jassy AWS
Amazon Web Services CEO Andy Jassy REUTERS/Mike Blake

  • On July 29, federal prosecutors said that Capital One was hacked, affecting 100 million users.
  • The data that was breached was hosted on Amazon Web Services, but the hack itself stemmed from a vulnerability in Capital One's application — a vulnerability stemming from the way the bank set up its AWS infrastructure. 
  • Experts say that AWS is not at fault, and customers should be responsible for their own cloud security.
  • However, some experts say that AWS could do more to help save customers by adding more monitoring controls, educating customers about best practices, or starting a bug bounty program.
  • Click here for more BI Prime stories.
Advertisement

In July, Capital One faced a massive data breach that affected over 100 million people. 

Capital One stores its data on Amazon's cloud, Amazon Web Services. To note, AWS itself wasn't hacked or otherwise compromised. Instead, the breach was apparently possible because of a misconfiguration in Capital One's cloud servers that allowed the hacker to obtain credentials and access the data in question. 

"This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments," a Capital One press release said. "The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model."

Still, since Capital One is a major AWS customer, the incident raised questions about whether Amazon could be doing more to make its cloud safer — especially since, as the Wall Street Journal recently reported, security researchers knew about this exact type of vulnerability for years before this specific attack.

Advertisement

Senator Ron Wyden (D-OR) even wrote a letter to Amazon CEO Jeff Bezos, saying: "If several organisations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and if the company that makes it shares responsibility for the breaches."

Amazon, for its part, told Business Insider that it does plenty to help customers like Capital One deal with cyber-threats.

"Security at AWS is our top priority. That is why we listen closely to our customers to offer both a highly secure cloud computing environment and a range of tools and resources they can leverage in building and implementing their own application-level security measures," said a spokesperson, in part. You can read Amazon's full statement below.

Steve Riley, senior research director at Gartner, says there was no mistake by AWS that allowed Paige Thompson, the suspected cyberattacker, to obtain access to sensitive information. Although Thompson previously worked for Amazon, there's no indication that the attacker had any kind of insider information that might have facilitated the breach. 

Advertisement

Read more: Amazon's cloud was at the heart of the big Capital One hack, even though it doesn't seem to be at fault

Still, Business Insider spoke with various analysts, researchers, and security companies on whether cloud providers should do more to protect its customers from making mistakes like this. Capital One did not respond to request for comment.

"The Capital One breach doesn't alter Gartner's opinion that public cloud computing can be a more secure starting point than on-premises data centers for applications and data of all types," Riley said. "It does illustrate, however, that the cloud requires specific education and immersion into new sets of skills."

'At the end of the day, AWS is an infrastructure provider'

In general, many experts said that security is the responsibility of the customer, not the cloud provider. 

Advertisement

Jud Waite, senior analyst at CB Insights, says businesses shouldn't just assume that using AWS alone makes their IT infrastructure safe. 

"At the end of the day, AWS is an infrastructure provider. They provide a specific set of services for their customers. Every business is tasked with securing its own data and own applications," Waite told Business Insider. "I don't really think it's on the cloud provider to be responsible or held responsible for securing this type of information."

Josh Bosquez, chief technology officer of Armor Cloud Security, says that AWS gives customers a wide array of security tools, and plenty of documentation on how to use them, but it's up to customers to use them properly — and to obtain security products from outside vendors, too, as appropriate. 

"It's up to you as a consumer to secure your own platform," Bosquez told Business Insider. "I think AWS is one of the most advanced technology platforms that we've seen of our time. If you're not an expert in how to manage and leverage it, you can do some damage on it. They give you enough ropes to secure what you need to. You just need to follow best practices they prescribe."

Advertisement

Fleming Shi, CTO of Barracuda Networks, echoes these sentiments, and says that many problems begin with human erorr. 

"The security for the application, the security of the data really relies on the duties of the application builders," Shi told Business Insider. "I will say AWS in many cases already provides the tools. It's not like they don't give you the tools. It's just because the number of assets when people are using the public cloud, they're incorrectly using it."

More monitoring

Still, some experts say that there's more that can be done on a technical level. Waite says AWS should implement a bug bounty program, similar to those run by companies like Microsoft and Apple, which offers financial rewards to hackers who find flaws in its cloud. 

Ravi Balupari, founder and vice president of engineering and research at ArecaBay, says that cloud providers could do more to provide customers with more controls to monitor how their data is being accessed.

Advertisement

He says that those customers especially need help locking down their application programming interfaces, or APIs, which allow applications to talk to each other. Indeed, Thompson allegedly achieved the hack by improperly obtaining the credentials for an API.

"If you really look at it, at the heart of a lot of these breaches, everything was about data," Balupari told Business Insider. "What people are not realizing and what there is not emphasis is protecting your APIs. That's where the cloud providers need to step up and do better. This could be providing more controls so enterprises can start to look at what's going on in and out."

Riley notes that from what we know so far, the attack wasn't especially stealthy: The system itself appears to have logged the cyberattack as it happened; it apparently just went unnoticed by Capital One until a tipster let the bank know that the data was out in the wild.

In general, Riley says, it's critical that companies mitigate human error in these extremely complex systems by making sure that data access controls and permissions are airtight. And, furthermore, it's important to have systems in place for checking data access logs. 

Advertisement

Educating customers

Heather Paunet, vice president of product management at Untangle, agrees that it's not Amazon's responsibility to force its customers to secure their data, especially since that's easier said than done thanks to the wide variety of products on the market.

However, she says, AWS could do more to teach customers about how to approach the problem of securing their cloud infrastructure. 

"Since their platform is being used more and more, they can play a large part in educating their customers and make sure their customers know what options they have and secure their own systems," Paunet told Business Insider.

John Yeoh, vice president of research at the Cloud Security Alliance  — an industry group which counts Microsoft, Google, Amazon Web Services, Oracle, and other cloud giants as members — says cloud providers can always do more to educate their users.

Advertisement

"From a provider perspective, it's about educating your end users about what your limitations are," Yeoh told Business Insider. "At the same time, are you going that extra mile to ensure your customers are secure. That's when we do need to push the platforms and all the providers to do better at notifications. Are they properly configured and properly understood by end-users?"

AWS says it offers guidance to customers through documentation and resources on best security practices.

"We are constantly delivering new tools and features that help customers build and operate in a secure way, and we will continue to educate customers about the resources available to them," an AWS spokesperson said.

Here's the full statement from an AWS spokesperson:

"Security at AWS is our top priority. That is why we listen closely to our customers to offer both a highly secure cloud computing environment and a range of tools and resources they can leverage in building and implementing their own application-level security measures. AWS offers multiple layers of security to remediate threats, including the AWS Web Application Firewall (designed to thwart commonly known risks), IAM roles and policies for fine-grained limiting of credential access to only authorized systems, exfiltration detection through Amazon Macie, and anomalous behavior detection through Amazon GuardDuty. We also provide customers with prescriptive guidance in the form of extensive documentation and resources like the AWS Well-Architected Framework to help them adhere to best practices. We are constantly delivering new tools and features that help customers build and operate in a secure way, and we will continue to educate customers about the resources available to them."

Cloud Computing Regulation Amazon
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account