Dow Jones AWS failure highlights dangers of cloud for financial sector
Posted on Thursday, September 21, 2017
Cloud systems have gained something of a reputation for “just working”, helping to accelerate uptake in all sectors, including the financial industry. However much of this belief comes from the SaaS model; platforms like Microsoft Office 365 and Salesforce are routinely patched and upgraded by the service provider without any involvement from the subscriber.
Cloud infrastructure is somewhat different. Because platforms like AWS act as infrastructure in the cloud, providers cannot upgrade systems without endangering the stability of their clients’ custom applications.
Just like on-site systems, CTOs also need to ensure security is properly managed at the infrastructure level in the cloud too.
An example from the finance sector
As one of the largest financial information firms in the world, Dow Jones collects and stores all manner of data, of varying levels of sensitivity. To help manage their vast data stores, Dow Jones relies on the AWS S3 service.
S3 is, by default, relatively secure, ensuring that data stored in these “buckets” is not publicly accessible. In the case of Dow Jones however, a reconfiguration by their development team left information accessible to any registered user of Amazon AWS. A very simple, very basic mistake changed their default security setting from restricted access, to semi-public access.
With approximately 1 million registered AWS developers, that’s a huge potential audience of non-Dow Jones employees.
A cloud skills shortage in the financial sector
IT industry analysts agree that there is a severe shortage of cloud skills available to the financial industry. In fact, there is a lack of skilled, experienced cloud engineers in all sectors.
This shortage has a serious impact; security researchers believe that misconfiguration of cloud infrastructure permissions is widespread, that Dow Jones is not the only victim. Their suggestion is that many financial businesses are rushing to the cloud without the correct blend of cloud skills, placing their systems and danger at severe risk of compromise.
Lacking cloud skills? Go slow
The headline cost savings of hosted infrastructure, and relative simplicity of creating an account blind many to the realities of the cloud. Most organizations begin their cloud journey by replicating existing infrastructure into AWS, failing to realize that configuration and security provisions are markedly different – not something that developers will inherently “know” from day one of deployment.
It is absolutely crucial that financial firms have the necessary skills on board before migrating to the cloud, or they could repeat the mistakes of Dow Jones. It may be that maintaining on-site data centers and storage is far less costly in the long run, particularly if familiarity with the systems helps to protect against a completely avoidable data leak caused by basic misconfiguration.
To learn more about reducing the cost of maintaining on-site data centers that continue to deliver the value your financial firm needs, please get in touch.