Don’t leave your Amazon S3 buckets exposed

As long as you know the right URL, anyone with access to the internet could retrieve all the data that was left online by marketing analytics company Alteryx. This is the second major exposure of data stored and improperly managed in the Amazon Web Services S3 storage service.

In the Alteryx case, it was apparent that the firm had purchased the information from Experian, as part of a data set called ConsumerView. Alteryx uses this data to provide marketing and analytics services. It put the data in AWS S3—and forgot to lock the door.

In November, files detailing a secret US intelligence collection program were leaked in the same manner, also stored in S3. The program, led by US Army Intelligence and Security Command, a division of the National Security Agency, was supposed to help the Pentagon get real-time information about what was happening on the ground in Afghanistan in 2013 by collecting data from US computer systems on the ground. Much as in the Alteryx case, the data was exposed by a misconfigured S3 bucket.

Here’s the deal: AWS defaults to closing access to data in S3, so in both cases someone had to configure S3 to expose the data. Indeed, S3 has the option to provide data over the web, if configured to do so. So, this is not an AWS issue, but one of stupidity, naïveté, or ignorance by people running their S3 instances.

Public cloud providers often say that they are not responsible for ineffective, or in these cases nonexistent, security configurations that leave data exposed. You can see why.

In these cases, white hat hackers informed those in charge about the exposure. But I suspect that many other such mistakes have been uncovered by people who quietly collect the data and move on into the night.

The fix for this is really common sense: Don’t actively expose data that should not be exposed. You need to learn about security configurations and processes before you bring the public cloud into your life. Otherwise, this kind of avoidable stuff will keep happening.

Powered by WPeMatico

How the end of net neutrality will affect enterprise cloud computing

I hate writing about politics because the topic is so polarizing. However, I’ve had enough questions about the net neutrality issue that I felt InfoWorld readers needed some preliminary guidance about its effect on enterprise-grade cloud computing.

The U.S. Federal Communications Commission has repealed the net neutrality rules it passed just two and a half years ago. This move has sent a lot of people over the edge, in terms of its potential impact on consumers, small businesses, and small websites. Moreover, there is a lot of speculation that the prices for internet-delivered media services, such as Netflix and Amazon Prime Video, could significantly increase.

The FCC’s 2015 rules prohibited broadband providers from selectively blocking or slowing web traffic. However, they never covered enterprise internet services, which are typically offered through customized arrangements. The 2015 regulations did protect small businesses’ access to the internet.

Republicans, including FCC Chairman Ajit Pai, has long criticized net neutrality rules as needless, costly regulations on internet service providers. Indeed, Republicans have argued that the rules discourage investment in broadband networks. This is based on the assertion that the regulations limit the kinds of business models ISPs can deploy.

Although many tech companies supported the now-gone net neutrality rules, there are a few that didn’t. Technology providers such as Oracle and Cisco Systems promoted the 2017 FCC plan to repeal net neutrality. The 2015 regulations discouraged investment in broadband, Oracle senior vice president Kenneth Glueck wrote in a letter to the FCC.

So, who’s right? Who’s wrong? And how will this affect the use of cloud for enterprises?

First, if you’re a company with more than $1 billion in revenue, the end of net neutrality is unlikely to affect you. You typically have custom, negotiated agreements in place in with ISPs that limit or eliminate any throttling they can do. Enterprises that use a particular cloud provider more than others can typically get dedicated lines installed from the enterprise to the cloud provider’s datacenter. That bypasses the effects of net neutrality’s elmination altogether. 

Businesses with less than $1 billion in revenue who place websites on cloud providers and who do most of their IT in the cloud have more reason to be concerned. Most ISPs has said that they won’t throttle traffic for small customers, and they won’t limit access based on what you pay for. Even the notion of packet prioritization has been raised as a concern because it could tilt the scale in favor of favored businesses, though the ISPs have not made moves in that direction either—yet. 

So, not much changes today. However, if I were in an IT shop at a small business, I would be running network monitoring as soon as possible to see if any cloud performance or access changes are being limited by bandwidth throttling. I suspect you won’t find anything unusual right after the rules have been lifted, but it’s better to trust and verify than blindly trust. 

Although the big companies that use the cloud are mostly immune from the effects of the net neutrality changes, I suggest they keep an eye out as well. Remember: The customers who use the cloud have the ultimate authority: the ability to vote with your dollars. 

Powered by WPeMatico

Cloud migration: How to know if you’re going too fast or too slow

Companies have decreased their spending on traditional system deployments to fund their cloud migration activities. Indeed, the IaaS market—including Amazon Web Services, Microsoft, and Google—has been exploding with growth over 40 percent in revenue per year since 2011, according to Gartner. And Gartner forecasts 300 percent growth for IaaS between 2016 and 2020.

What’s most astounding is the shift in IT spending. The on-premises budgets for IT infrastrcuture will fall from 70.2 percent in 2016 to 57 percent by 2018, according to IDC—an 18.8 percent decline. In other words, the IaaS portion of IT infrastructure spend is rising from 29.8 percent to 43 percent—a 44.2 percent increase.

Although a few enterprises are slow to start—and some have to yet to start—their migaations to cloud, many enterprises are blasting forward, with the funding and support to cloud-enable most of their enterprise IT by 2020.  

While there may appear to be a party going on and you’ve not been invited, my advice to enterprises is to proceed to the cloud at your own measured place.   Indeed, while the growth numbers are impressive, I can’t help but think that some enterprises are moving so fast to the cloud that they are bound to make some very costly mistakes such as not dealing with security, governance, and operations properly for cloud-based systems. I’ve been making a nice living over the last year fixing these.  

But the larger danger is that you’re not taking advantage of what public cloud services can offer enterprises IT—and your business. Enterprises that are sitting on the fence are perhaps losing money because they are missing out on the cost and strategic benefits of the cloud. Most don’t bother to do the ROI analysis and planning, so they have no idea of how they are damaging their business.   

So, at what pace should you move to the cloud? The answer lies within your enterprise. Don’t go faster or slower to matc the pace of the enterprises down the street. Instead, you look at your own requirements and business problems first, then the examine best approaches and technologies to meet those requirements and solve your problems.  

Powered by WPeMatico

Data integration is one thing the cloud makes worse

One, enterprises have too many decisions to make. Two, it’s difficult to find success with complex data integration. Those are the two main excuses I hear these days, as enterprises move to the cloud. Whatever the justification, the lack of attention to data integration is beginning to cause some real damage. 

So, what went wrong? Enterprises have so much coming at them that they don’t think about every approach and technology that they need to think about. Security, management, monitoring, and governance are getting the attention they need, but data integration has fallen off the radar screen.

A byproduct of this behavior? More data silos. We all know that data silos are bad, but we seem to be building more data silos—not only on premises but in the public cloud. 

Data silos by themselves are not bad if they are integrated with other data silos. This means that as one silo is updated, the other silos are aware of the update and can immediately exchange information. 

The idea is that you need a “single source of truth” for data, using an old Oracle phrase. A single record of a customer, inventory, sales, or other information you want to track. 

But without a data integration strategy and technology, a single source of data truth is not possible. Systems become islands of automation unto themselves, and it doesn’t matter if they are in the public cloud or not.

The cloud makes many things better, but it makes data integration worse. Indeed, as you migrate applications and data to the cloud, as well as build new applications and databases, chances are you’re forgetting about data integration. 

The result is a far-diminished value of the systems you use, because the data is redundant and out of sync. Enterprise IT should treat data as a single consistent resource that can span all systems and platforms, both cloud and noncloud. If you overlook this aspect, you won’t find the business value you’re seeking. 

Powered by WPeMatico