Skip to main content
close search
site logo
Dive Brief

Cloud security burden falls on customer, Amazon exec says

Published Aug. 20, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter

First published on

CIO Dive

Dive Brief:

  • Amazon Web Services is unaware of "any other noteworthy" compromises of AWS customers, the company's chief information security officer, Stephen Schmidt, said in response to an inquiry from Sen. Ron Wyden (D-OR) into AWS's role in the Capital One data breach.
  • The hacker exploited a "Server-Side Request Forgery" (SSRF) vulnerability to gain access, which was amplified by abusing permissions escalation, Schmidt said. Although SSRF was not the "primary factor" in the bank's breach, "it's possible that there have been small numbers of these that haven't been escalated to us."
  • Though the onus of the security gaps falls on Capital One, Schmidt said AWS is taking on several initiatives to better support customer security, including scanning the public intellectual property space for customers' firewall resources. The proactive scan will allow AWS to try to detect the presence of misconfigurations and "err on the side of over-communicating."

Dive Insight:

Capital One disclosed a data breach last month affecting 106 million customers. Its public cloud strategy and use of AWS drew criticism, though the cloud provider was quick to distance itself from responsibility.

Cloud customers, while supported by providers, have their own access management. Most of the security around the cloud is within control of the customer.

The bank had a misconfigured web application firewall (WAF), its first layer of protection, which is mostly outside AWS's purview.

AWS provides "documentation, how-to-guides and professional services" for customers' WAF set up, Schmidt said. Only customers have a true sense of "what they intended with resources under their control."

To help customers avoid the mistakes Capital One made, AWS will "redouble" its efforts to help customers adjust their "permissive permissions" to a low level, Schmidt said.

Wyden questioned the role AWS played in Capital One's breach, but AWS's response is a reminder that customers pick up the burden of security beyond the perimeter of AWS's infrastructure.

Accused hacker Paige Thompson allegedly breached more than 30 other "victim companies," law enforcement said last week. AWS contacted those companies to offer assistance and further security support, Schmidt said. Those customers have yet to report significant issues.

Capital One's exploited SSRF, however, is the only compromise of "significant scale" that AWS is aware of at this time, he said.

Filed Under: Technology, Risk

Editors' picks

  • Two people use Capital One ATMs. A sign above them reads "Check your (inner) balance"
    Image attribution tooltip
    Joe Raedle / Staff via Getty Images
    Image attribution tooltip

    Capital One warns of possible CFPB enforcement action

    The bureau notified the lender last month it’s considering action after customers sued Capital One, claiming it never told savings account holders they could get a higher yield if they switched to another product.

    By Caitlin Mullen • Nov. 1, 2024
  • Michael Barr, the Federal Reserve's vice chair for supervision, speaks during a congressional hearing, while sitting next to Martin Gruenberg, chair of the FDIC and Michael Hsu, acting comptroller of the currency
    Image attribution tooltip
    Kevin Dietsch / Staff via Getty Images
    Image attribution tooltip

    Did regulators send warning shot at already roiled BaaS space?

    It’s clear the Synapse debacle was on regulators’ minds when they issued last week’s statement highlighting risks associated with banks’ third-party partnerships, analysts said.

    By Caitlin Mullen • July 31, 2024

Company Announcements

View all | Post a press release
Cross Border Payment Solutions Launches to Help Business Take Control of International Finance
From Cross Border Payment Solutions
November 18, 2024
Unitus Community Credit Union Deploys JUDI.AI to Scale Small Business Lending
From JUDI.AI
October 31, 2024
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Narmi
October 31, 2024
Editors' picks
  • Two people use Capital One ATMs. A sign above them reads "Check your (inner) balance"
    Image attribution tooltip
    Joe Raedle / Staff via Getty Images
    Image attribution tooltip

    Capital One warns of possible CFPB enforcement action

    The bureau notified the lender last month it’s considering action after customers sued Capital One, claiming it never told savings account holders they could get a higher yield if they switched to another product.

    By Caitlin Mullen • Nov. 1, 2024
  • Michael Barr, the Federal Reserve's vice chair for supervision, speaks during a congressional hearing, while sitting next to Martin Gruenberg, chair of the FDIC and Michael Hsu, acting comptroller of the currency
    Image attribution tooltip
    Kevin Dietsch / Staff via Getty Images
    Image attribution tooltip

    Did regulators send warning shot at already roiled BaaS space?

    It’s clear the Synapse debacle was on regulators’ minds when they issued last week’s statement highlighting risks associated with banks’ third-party partnerships, analysts said.

    By Caitlin Mullen • July 31, 2024
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell