Amazon Web Services Customers Can Hack AWS Cloud And Steal Data, Says Oracle CTO Larry Ellison.
(Note: After an award-winning career in the media business covering the tech industry, Bob Evans was VP of Strategic Communications at SAP in 2011, and Chief Communications Officer at Oracle from 2012 to 2016. He now runs his own firm, Evans Strategic Communications LLC.)
CLOUD WARS — Oracle founder Larry Ellison this week said businesses using arch-rival Amazon’s AWS cloud have become major cybersecurity threats because the AWS cloud architecture allows them to see and steal data belonging to other customers using the AWS cloud.
Ellison made the remarks in a keynote at Oracle’s annual OpenWorld conference on Monday while extolling the advantages of Oracle’s new Generation 2 Cloud versus traditional cloud architecture such as what he said Amazon currently uses.
The comments were striking because while cybersecurity has unquestionably become one of the major issues for business leaders in our increasingly digital economy, the blame for cyberattacks and cybercrime has rarely been put on customers—instead, organized teams of cybercriminals and/or nation-states looking to exploit digital weaknesses in other countries have almost always been named as the culprits.
But Ellison on multiple occasions cited AWS “customers” as the agents or potential agents of data manipulation, data exfiltration and data theft—and I’ll offer verbatim examples from his keynote in just a moment.
Before getting to those verbatim comments, I want to offer a few thoughts that help provide some context for Ellison’s remarks—because while cybersecurity and cyberattacks have been a major theme in some of Ellison’s recent public presentations, he has never, as far as I can discover, cited “customers” as the bad guys.
- It’s essential to understand that Oracle and Amazon are arch-rivals in the cloud, and that relative to Amazon’s whopping market share in the public-cloud infrastructure segment, Oracle’s presence is almost nonexistent. So Ellison clearly had a purpose in attempting to make a dramatic case for how and why Oracle’s new “Gen 2 Cloud” is radically different from and superior to the traditional architecture used by AWS—and perhaps he figured the “customer” angle would draw attention.
- When I reached out to Oracle’s communications team to request some data or research that would substantiate Ellison’s contentions that business customers using the AWS cloud have become major cybersecurity threats, I was told that “bad actors can poseas customers on any public cloud, so from the perspective of an actual customer, a bad actor is a ‘customer.’ ” I’ll share more of the rationale from that Oracle spokesperson as well.
- And third, it’s important to remember that while Ellison has been quite forceful and eloquent in highlighting the danger of not only cybercrime but also cyberterrorism, he has not to my knowledge ever spoken of business customers as being part of that threat. So why make that huge change now, particularly knowing that his OpenWorld keynotes always draw huge interest? By contrast, to see how he’s framed his thoughts on cybersecurity in the past, please check out two of my earlier Forbes.com pieces: Equifax Breach ‘Won’t Be Isolated Attack,’ Says Oracle Founder Larry Ellison and Larry Ellison on Cyber Attacks: ‘It’s A War—And We’re Losing This Cyberwar’.
So let’s take a look at Ellison’s verbatim comments about customers as cyberthreats and cybercriminals, which I transcribed from the video archive of his keynote address:
- “If you look at the AWS cloud, in that machine could be one customer, could be multiple customers—but in that machine is the AWS cloud-control code sharing the computer with customer code. That means you better trust your customers—you better trust all your customers.”
- “If you’re going to let your customers inject code—or use the computer that you use to control the cloud—if you’re going to let customers share that computer, the computer you use to control your cloud—and those customers are smart—they can look at your cloud-control code. They can change your cloud-control code; they can move from one computer to the other. They can look at other customers’ data.”
- “They can schedule—the other customers’ data is exfiltrated out of the cloud someplace else. And they can make sure that you get the bill—twice! You pay for the exfil[tration], and your data is lost.”
- “If you have a single shared computer running your cloud and running your customer code, one customer can see the other customer’s data, Amazon can see your data, and the customers can change the Amazon code and hack the system and take control of the code and steal data.”
- “But we will never put our cloud-control code in this same computer that has customer code—that creates an incredible vulnerability to our cloud-control system. So we’ve added a completely separate network of dedicated cloud-control computers that not only protect the perimeter of the cloud—protect from threats coming from the outside and getting into the cloud—but we also form a perimeter around each individual customer zone. So customers can’t get out of their zone and into your And they can’t hack our cloud-control computer because there’s no way to access it—there’s no access to our cloud-control computer. They can’t look at the memory, they can’t add code, they can’t do anything to it—it’s an isolated network they can’t get at.”
Those are very strong words about the business customer that are using the enterprise cloud. I asked the Oracle spokesperson if she could share any data that supports what Ellison was saying—for example, does Oracle consider that 10 percent of customers engage in cybercrime in the way Ellison described, or is it 25 percent, or something higher?—but Oracle did not offer any such facts. Here’s the statement I received from Oracle:
“The point is that that bad actors can pose as customers on any public cloud, so from the perspective of an actual customer, a bad actor is a “customer.”
“You can have bad actors using cloud instances for distributing unlawful content or performing otherwise forbidden tasks (crypt mining) while paying for their cloud instances with stolen credit cards. You can also deal with sophisticated attackers who will attempt to make use of malicious code and known vulnerabilities in an attempt to break multi-tenant separation (recent highly publicized vulnerabilities come to mind). So…Yes. Bad actors posing as customers in the cloud are potential cyber threats. We prevent bad actors from committing nefarious acts. Bad actors posing as customers are to clouds, what insider threats are to traditional on-premises environments…
“There is nothing stopping operatives from a rogue nation, for instance, from posing as a business of some kind, and opening an account with any public cloud vendor. From that standpoint, they are a customer – but they are also a bad actor who, once set up inside Microsoft or Amazon or Google cloud, to name a few, can start using malicious code to either mess with the infrastructure’s control code or attempt to move sideways to steal data from other (legitimate) customers.
“From the standpoint of a legitimate customer, using such a less-secure-than-Oracle cloud vendor, that bad actor LOOKS LIKE A CUSTOMER.
Since public cloud vendors aren’t the FBI or other law enforcement, they can’t be in the business of vetting the legitimacy of customer x or customer y.
Thus, bad actors posing as “customers” are a potential threat agent that Oracle can protect its other customers from by, among other security measures, isolating control code from software that manages the virtual machines or bare metal servers used by other customers.” (End of Oracle response.)
To be sure, those are all very reasonable thoughts. But Larry Ellison’s a very reasonable guy—so why didn’t he at least allude to a couple of these points during his hour-long keynote?
So Oracle’s just unveiled a sophisticated new “Generation 2 Cloud” to help customers avoid becoming victims of cyberattacks in the cloud, and Oracle’s also warning its good customers to watch out for its bad customers and/or truly bad guys posing as customers.
All in all, more proof that life’s never dull in the Cloud Wars.
I’ve analyzed and written about the enterprise-tech business for more than 20 years from the media side as an editor-in-chief and chief content officer, and more recently as Chief Communications Officer at Oracle from 2012-2016. I’ve written thousands of articles and columns…MORE
As businesses jump to the cloud to accelerate innovation and engage more intimately with customers, my Cloud Wars series analyze the major cloud vendors from the perspective of business customers.