Amazon Web Services Customers Can Hack AWS Cloud And Steal Data

Amazon Web Services Customers Can Hack AWS Cloud And Steal Data, Says Oracle CTO Larry Ellison.
(Note: After an award-winning career in the media business covering the tech industry, Bob Evans was VP of Strategic Communications at SAP in 2011, and Chief Communications Officer at Oracle from 2012 to 2016. He now runs his own firm, Evans Strategic Communications LLC.)
CLOUD WARS — Oracle founder Larry Ellison this week said businesses using arch-rival Amazon’s AWS cloud have become major cybersecurity threats because the AWS cloud architecture allows them to see and steal data belonging to other customers using the AWS cloud.
Ellison made the remarks in a keynote at Oracle’s annual OpenWorld conference on Monday while extolling the advantages of Oracle’s new Generation 2 Cloud versus traditional cloud architecture such as what he said Amazon currently uses.
The comments were striking because while cybersecurity has unquestionably become one of the major issues for business leaders in our increasingly digital economy, the blame for cyberattacks and cybercrime has rarely been put on customers—instead, organized teams of cybercriminals and/or nation-states looking to exploit digital weaknesses in other countries have almost always been named as the culprits.
But Ellison on multiple occasions cited AWS “customers” as the agents or potential agents of data manipulation, data exfiltration and data theft—and I’ll offer verbatim examples from his keynote in just a moment.
Before getting to those verbatim comments, I want to offer a few thoughts that help provide some context for Ellison’s remarks—because while cybersecurity and cyberattacks have been a major theme in some of Ellison’s recent public presentations, he has never, as far as I can discover, cited “customers” as the bad guys.
So let’s take a look at Ellison’s verbatim comments about customers as cyber threats and cybercriminals, which I transcribed from the video archive of his keynote address:
Those are very strong words about the business customer that are using the enterprise cloud. I asked the Oracle spokesperson if she could share any data that supports what Ellison was saying—for example, does Oracle consider that 10 percent of customers engage in cybercrime in the way Ellison described, or is it 25 percent, or something higher?—but Oracle did not offer any such facts. Here’s the statement I received from Oracle:
“The point is that bad actor can pose as customers on any public cloud, so from the perspective of an actual customer, a bad actor is a “customer.”
“You can have bad actors using cloud instances for distributing unlawful content or performing otherwise forbidden tasks (crypt mining) while paying for their cloud instances with stolen credit cards. You can also deal with sophisticated attackers who will attempt to make use of malicious code and known vulnerabilities in an attempt to break multi-tenant separation (recent highly publicized vulnerabilities come to mind). So…Yes. Bad actors posing as customers in the cloud are potential cyber threats. We prevent bad actors from committing nefarious acts. Bad actors posing as customers are to clouds, what insider threats are to traditional on-premises environments…
“There is nothing stopping operatives from a rogue nation, for instance, from posing as a business of some kind, and opening an account with any public cloud vendor. From that standpoint, they are a customer – but they are also a bad actor who, once set up inside Microsoft or Amazon or Google cloud, to name a few, can start using malicious code to either mess with the infrastructure’s control code or attempt to move sideways to steal data from other (legitimate) customers.
“From the standpoint of a legitimate customer, using such a less-secure-than-Oracle cloud vendor, that bad actor LOOKS LIKE A CUSTOMER.
Since public cloud vendors aren’t the FBI or other law enforcement, they can’t be in the business of vetting the legitimacy of customer x or customer y.
Thus, bad actors posing as “customers” are a potential threat agent that Oracle can protect its other customers from by, among other security measures, isolating control code from software that manages the virtual machines or bare metal servers used by other customers.” (End of Oracle response.)
To be sure, those are all very reasonable thoughts. But Larry Ellison’s a very reasonable guy—so why didn’t he at least allude to a couple of these points during his hour-long keynote?
So Oracle’s just unveiled a sophisticated new “Generation 2 Cloud” to help customers avoid becoming victims of cyberattacks in the cloud, and Oracle’s also warning its good customers to watch out for its bad customers and/or truly bad guys posing as customers.
All in all, more proof that life’s never dull in the Cloud Wars.
I’ve analyzed and written about the enterprise-tech business for more than 20 years from the media side as an editor-in-chief and chief content officer, and more recently as Chief Communications Officer at Oracle from 2012-2016. I’ve written thousands of articles and columns…MORE
As businesses jump to the cloud to accelerate innovation and engage more intimately with customers, my Cloud Wars series analyze the major cloud vendors from the perspective of business customers.
Join the Conversation
Sheriff
Just nowThis is a fantastic breakdown of the technology! We are already looking at how we can implement these specific architecture patterns into our upcoming project sprints to improve scalability.
Ready to build something
extraordinary?
Join forward-thinking companies that trust Digitalbes to deliver scalable, high-performance digital solutions. Let's turn your vision into measurable growth.
