LISBON – Amazon’s cloud computing customers have to decide themselves how best to protect sensitive information online, a senior executive said Tuesday, following accusations by U.S. lawmakers that the web giant has not done enough to secure data on its servers.
Amazon Web Services (AWS), the cloud computing arm of Amazon.com Inc., has come under fire following a series of high-profile data breaches, including one this year involving the personal information of 106 million people stored on its servers by Capital One Financial Corp.
Chief Technology Officer Werner Vogels said AWS provided multiple services to help customers identify if their data was being stored appropriately and flag any possible problems, but the decision about which settings to use lay with those clients.
“We feel we have a responsibility in making sure you take the right actions, but in the end it’s only you who can decide what is the right action there and what’s not,” he said on the sidelines of the Web Summit tech conference in Lisbon.
“I’m not going to look at your data thinking like ‘Hey, these are cat videos, maybe you shouldn’t do that.'” He added that customers should use tighter security controls for sensitive data such as credit card information.
Cybersecurity researchers say data hosted on AWS servers is often accidentally exposed due to mistakes made by the company’s clients configuring their security settings.
The alleged Capital One hacker, for example, was able to access the firm’s data due to a wrongly configured web application firewall, U.S. prosecutors have said.
Analysts at Gartner predict client mistakes will account for 99 percent of “cloud security failures” over the next six years.
Vogels said the AWS system warned customers with a “massive red button” when they configured online storage containers — known as buckets — to be accessible by anyone online, a setting deliberately chosen for some products and applications.
The company also provides tools which clients can run to analyze the type of data they are storing and spot commonly associated slip-ups, he said.
“If you (change) the configuration on your bucket to world-readable, you will get lots of alarm bells going off,” he said. “It’s up to the individual customer to decide what’s right and what’s wrong.”