Cloud Hosting

Attendees at Amazon.com Inc annual cloud computing conference walk past the Amazon Web Services logo in Las Vegas, Nevada, U.S., November 30, 2017. REUTERS/Salvador Rodriguez/File Photo

Sept 2 (Reuters) - Amazon.com Inc (AMZN.O) plans to take a more proactive approach to determine what types of content violate its cloud service policies, such as rules against promoting violence, and enforce its removal, according to two sources, a move likely to renew debate about how much power tech companies should have to restrict free speech.

Over the coming months, Amazon will expand the Trust & Safety team at the Amazon Web Services (AWS) division and hire a small group of people to develop expertise and work with outside researchers to monitor for future threats, one of the sources familiar with the matter said.

It could turn Amazon, the leading cloud service provider worldwide with 40% market share according to research firm Gartner, into one of the world's most powerful arbiters of content allowed on the internet, experts say.

AWS does not plan to sift through the vast amounts of content that companies host on the cloud, but will aim to get ahead of future threats, such as emerging extremist groups whose content could make it onto the AWS cloud, the source added.

A day after publication of this story, an AWS spokesperson told Reuters that the news agencys reporting "is wrong," and added "AWS Trust & Safety has no plans to change its policies or processes, and the team has always existed."

A Reuters spokesperson said the news agency stands by its reporting.

Amazon made headlines in the Washington Post on Aug. 27 for shutting down a website hosted on AWS that featured propaganda from Islamic State that celebrated the suicide bombing that killed an estimated 170 Afghans and 13 U.S. troops in Kabul last Thursday. They did so after the news organization contacted Amazon, according to the Post.

The discussions of a more proactive approach to content come after Amazon kicked social media app Parler off its cloud service shortly after the Jan. 6 Capitol riot for permitting content promoting violence. read more

Amazon did not immediately comment ahead of the publication of the story on Thursday. After publication, an AWS spokesperson said later that day, "AWS Trust & Safety works to protect AWS customers, partners, and internet users from bad actors attempting to use our services for abusive or illegal purposes. When AWS Trust & Safety is made aware of abusive or illegal behavior on AWS services, they act quickly to investigate and engage with customers to take appropriate actions."

The spokesperson added that "AWS Trust & Safety does not pre-review content hosted by our customers. As AWS continues to expand, we expect this team to continue to grow."

Activists and human rights groups are increasingly holding not just websites and apps accountable for harmful content, but also the underlying tech infrastructure that enables those sites to operate, while political conservatives decry what they consider the curtailing of free speech.

AWS already prohibits its services from being used in a variety of ways, such as illegal or fraudulent activity, to incite or threaten violence or promote child sexual exploitation and abuse, according to its acceptable use policy.

Amazon investigates requests sent to the Trust & Safety team to verify their accuracy before contacting customers to remove content violating its policies or have a system to moderate content. If Amazon cannot reach an acceptable agreement with the customer, it may take down the website.

Amazon aims to develop an approach toward content issues that it and other cloud providers are more frequently confronting, such as determining when misinformation on a company's website reaches a scale that requires AWS action, the source said.

A job posting on Amazons jobs website advertising for a position to be the "Global Head of Policy at AWS Trust & Safety," which was last seen by Reuters ahead of publication of this story on Thursday, was no longer available on the Amazon site on Friday.

The ad, which is still available on LinkedIn, describes the new role as one who will "identify policy gaps and propose scalable solutions," "develop frameworks to assess risk and guide decision-making," and "develop efficient issue escalation mechanisms."

The LinkedIn ad also says the position will "make clear recommendations to AWS leadership."

The Amazon spokesperson said the job posting on Amazons website was temporarily removed from the Amazon website for editing and should not have been posted in its draft form.

AWS's offerings include cloud storage and virtual servers and counts major companies like Netflix (NFLX.O), Coca-Cola (KO.N) and Capital One (COF.N) as clients, according to its website.

PROACTIVE MOVES

Better preparation against certain types of content could help Amazon avoid legal and public relations risk.

"If (Amazon) can get some of this stuff off proactively before it's discovered and becomes a big news story, there's value in avoiding that reputational damage," said Melissa Ryan, founder of CARD Strategies, a consulting firm that helps organizations understand extremism and online toxicity threats.

Cloud services such as AWS and other entities like domain registrars are considered the "backbone of the internet," but have traditionally been politically neutral services, according to a 2019 report from Joan Donovan, a Harvard researcher who studies online extremism and disinformation campaigns.

But cloud services providers have removed content before, such as in the aftermath of the 2017 alt-right rally in Charlottesville, Virginia, helping to slow the organizing ability of alt-right groups, Donovan wrote.

"Most of these companies have understandably not wanted to get into content and not wanting to be the arbiter of thought," Ryan said. "But when you're talking about hate and extremism, you have to take a stance."

Reporting by Sheila Dang in Dallas; Editing by Kenneth Li, Lisa Shumaker, Sandra Maler, William Mallard and Sonya Hepinstall

Our Standards: The Thomson Reuters Trust Principles.

Read more:
EXCLUSIVE Amazon considers more proactive approach to determining what belongs on its cloud service - Reuters

In this special guest feature, Asher Benbenisty, Director of Product Marketing at Algosec, looks at how organizations can solve the problems of managing and maintaining security in hybrid, multi-cloud environments. Also discussed is the common confusion over cloud ownership, and how organizations can get consistent control and take advantage of agility and scalability without compromising on security. Asher is an experienced product marketing professional with a diverse background in all aspects of the corporate marketing mix, product/project management as well as technical expertise. He is passionate about bringing innovative products that solve real business problems to the market. When not thinking of innovative products, Asher enjoys outdoor running especially by the ocean.

Move fast and break things is a familiar motto. Attributed to Facebook CEO Mark Zuckerberg, it helps to explain the companys stellar growth over the past decade, driven by its product innovations. However, while its a useful philosophy for software development, moving faster than youd planned is a risky approach in other areas, as organizations globally realized during the COVID-19 pandemic. While 2020 saw digital transformation programs advance by up to seven years, enterprises quick moves to the cloud also meant that some things got damaged along the way including security.

Arecent survey conducted with the Cloud Security Allianceshowed that over half of organizations are now running over 41% of their workloads in public clouds, compared to just one quarter in 2019, and this will increase further by the end of 2021. Enterprises are moving fast to the cloud, but they are also finding that things are getting broken during this process.

11% of organizations reported a cloud security incident in the past year, with the three most common causes being cloud provider issues (26%), security misconfigurations (22%), and attacks such as denial of service exploits (20%). In terms of the business impact of these disruptive cloud outages, 24% said it took up to 3 hours to restore operations, and for 26% it took over half a day.

As a result, Its no surprise that organizations have significant concerns about enforcing and managing security in the cloud. Their leading concerns were maintaining overall network security, a lack of cloud expertise, problems when migrating workloads to the cloud, and insufficient staff to manage their expanded cloud environments. So, what are the root causes of these cloud security concerns and challenges, and how should enterprises address them?

Confusion over cloud control

When asked about which aspects of security worried them most when running applications in public clouds, respondents overwhelmingly cited getting clear visibility of topologies and policies for the

entire hybrid network estate, followed by the ability to detect risks and misconfigurations.

A key reason for these concerns is that organizations are using a range of different controls to manage cloud security as part of their application orchestration. 52% use cloud-native tools, and 50% reported using orchestration and configuration management tools such as Ansible, Chef and Puppet. However, nearly a third (29%) said they use manual processes to manage cloud security.

In addition, theres competition for overall control over cloud security: 35% of respondents said their security operations team managed cloud security, followed by the cloud team (18%), and IT operations (16%). Other teams such as network operations, DevOps and application owners all figured too. Having different teams using multiple different controls for security limits overall visibility across the hybrid cloud environment, and also adds significant complexity and management overheads to security processes. Any time you need to make a change, you need to duplicate the work across each of these different controls and teams. This results in security holes and the types of misconfiguration-based incidents and outages we mentioned earlier.

How to move fast and not break things

So how can organizations address these security and management issues, and get consistent control over their cloud and on-prem environments, so they can take full advantage of cloud agility and scalability without compromising on security? Here are the four key steps:

With a network security automation solution handling these steps, organizations can get holistic, single-console security management across all of their public cloud accounts, as well as their private cloud and on-premises deployments. This helps them to solve the cloud complexity challenge and ensures faster, safer and more compliant cloud management making it possible for organizations to move fast in response to changing business needs without breaking things.

Sign up for the free insideBIGDATAnewsletter.

Join us on Twitter:@InsideBigData1 https://twitter.com/InsideBigData1

The rest is here:
How to Move Fast in the Cloud Without Breaking Security - insideBIGDATA

Executive Summary.

Attackers do not target Linux environments because Windows is the most used operating system globall is a belief many in the technology hold. With this one false belief attackers are creating havoc on companies Linux based environments by creating and transitioning Windows malware to:

There is a notion in our community that added Linux operating system security features, such as Security-Enhanced Linux (SELinux) along with cloud provider offerings such as cloud-based firewall rules and access management, offer security by default. Companies do not need to focus on the hardening of the cloud server itself.

Myths such as these can lead companies to suffer devastating losses. When securing Linux servers, whether physical or in the cloud, the basics still remain the same. Just because a server is running Linux does not mean you can be lenient on security practices on the server itself. A companys security posture frequently relies on cloud providers security controls, and while they do provide help, if the company does not know what code is running on their servers the effectiveness of the providers security controls are negated.

Software development has changed drastically over the past several years to meet the need for faster time to market conditions. To accommodate these requirements, developers are increasing the frequency of their code deployments. Capital One reports they are currently deploying up to 50 times per day for a single product, with Amazon, Google, and Netflix deploying thousands of times per day. With the frequency of these code changes, it is becoming increasingly difficult for security teams to adapt their monitoring and hardening practices.

New code deployments can alter a servers expected behavior. Suppose companies are focusing their monitoring on behavior-based detection. In that case, new code deployments can lead to false positives, which create an additional workload for teams. Security teams often report that its challenging to address these situations as they do not have enough visibility into what code is running on their servers. Thus, they must spend a significant amount of time investigating them. If attackers can craft their code to fit with the expected behavior, no alerts are triggered, and a compromise could occur without any detection. However, companies are often worried about deploying new security solutions as they may degrade performance by using vital resources or slowing down the development process.

Attackers focus on Windows as its the worlds most used operating system.

The number of threats that Linux servers face are downplayed due to another common myth about the popularity of Linuxs usage around the world. The belief is that Windows is the primary operating system in use, and while this might be true for desktop computers, when it comes to Linux cloud or physical servers, the numbers say it all.

Currently 500 of the worlds fastest supercomputers are running on Linux. These systems are used for everything from advancing artificial intelligence to helping save lives by potentially aiding in COVID-19 gene analysis and vaccine research.

96.3% of the worlds servers are running Linux.

83.1% of developers say they prefer to work on the Linux platform than any other operating system.

In the past decade, researchers have discovered many advanced persistent threat campaigns targeting Linux systems using adapted Windows malware, as well as unique Linux malware tools tailored for espionage operations. Once the code was modified to work in Linux environments, there was no barrier to shifting these attacks to new targets. One example is IPStorm; researchers first saw this malware in 2019 targeting Windows systems. IPStorm has now evolved to target other platforms such as Android, Linux, and Mac devices, leading to increased compromised systems of more than 13,500. Detecting if systems are compromised is not always difficult; however, many businesses are unaware they should examine their devices until they see this attacks impact. The increase in compromised systems has led some to call IPStorm one of the most dangerous malware in existence.

Perhaps one of the leading factors for attackers deciding to morph their attack strategies is the growth of cloud technology and the increasing number of cloud providers making the transition to Linux-based environments easier than ever.

Even governments have embraced Linuxs usage in their environments. For example, in 2001, the White House transitioned to the Red Hat Linux-based distribution. The US Department of Defense migrated to Linux in 2007, and the US Navys warships have been using Red Hat since 2013. The US is not alone in this transition. The Austrian capital of Vienna and the government of Venezuela have also adopted the use of Linux.

Open-source software is inherently secure, due to the visibility of the code and contributions from the community.

Attackers contribute to open-source projects as well. For example, we have seen NPM packages that contained code providing access to the environmental variables, allowing for the collection of information for the host device.

Not everyone has the skills to understand the code, so despite seeing the installed code, the compromise can go undetected. When an issue is reported, an experienced developer reviews the code, then writes a patch. Once this work is done, we wait for the new code to be approved. Dont forget during this time unknowing parties would still be using these packages.

Once a fix is available, many companies still do not upgrade the new code. The State of Software Security (SOS) analyzed 85,00 applications and found that over 75% shared similar code. 47% of these had flawed libraries used by multiple applications; 74% of these libraries could have been fixed with a simple upgrade.

Our Linux environments are just as vulnerable as any other environment. All of these myths around Linux security fall short because they do not take into account what history has taught us, that breaches do happen.

In order to have a healthy security posture, companies need to grow beyond the idea that all breaches can be prevented and address the need for visibility of the code running within their workloads.

Webinar: Is Linux Secure By Default?

Blog: 2020 Set a Record for New Linux Malware Families

Read this article:
The myths behind Linux security. - The CyberWire

It's no secret that a small handful of enormous companies dominate the internet as we know it. But the internet didn't always have services with a billion users and quasi-monopolistic control over search or shopping. It was once a loose collection of individuals, research labs, and small companies, each making their own home on the burgeoning world wide web.

That world hasn't entirely died out, however. Through a growing movement of dedicated hobbyists known as self-hosters, the dream of a decentralized internet lives on at a time when surveillance, censorship, and increasing scrutiny of Big Tech has created widespread mistrust in large internet platforms.

Self-hosting is a practice that pretty much describes itself: running your own internet services, typically on hardware you own and have at home. This contrasts with relying on products from large tech companies, which the user has no direct involvement in. A self-hoster controls it all, from the hardware used to the configuration of the software.

My first real-world reason for learning WordPress and self-hosting was the startup of a podcast, KmisterK, a moderator of Reddit's r/selfhosted community, told Motherboard. I quickly learned the limitations of fake unlimited accounts that were being advertised on most shared hosting plans. That research led to more realistic expectations for hosting content that I had more control over, and it just bloomed from there.

Edward, co-creator of an extensive list of self-hosted software, similarly became interested in self-hosting as a way to escape less-than-ideal circumstances. I was initially drawn to self-hosting by a slow internet connection and a desire to share media and information with those I lived with," he told Motherboard. I enjoyed the independence self-hosting provided and the fact that you owned and had control over your own data.

Once you're wrapped up in it, it's hard to deny the allure of the DIY self-hosted internet. My own self-hosting experiences include having a home server for recording TV and storing media for myself and my roommates, and more recently, leaving Dropbox for a self-hosted, free and open source alternative called Syncthing. While Ive been happy with Dropbox for many years, I was paying for more than I needed and ran into issues with syncing speed. With a new Raspberry Pi as a central server, I had more control over what synced to different devices, no worries about any storage caps, and of course, faster transfer speeds. All of this is running on my home network: nothing has to be stored on cloud servers run by someone else in who-knows-where.

My experience with Syncthing quickly sent me down the self-hosting rabbit hole. I looked at what else I could host myself, and found simply everything: photo collections (like Google Photos); recipe managers; chat services that you can connect with the popular tools like Discord; read-it-later services for bookmarking; RSS readers; budgeting tools; and so much more. There's also the whole world of alternative social media services, like Mastodon and PixelFed, to replace Twitter, Facebook, and Instagram, which can be self-hosted as a private network or used to join others around the world.

Self-hosting is something I've found fun to learn about and tinker with, even if it is just for myself. Others, like KmisterK, find new opportunities as well. Eventually, a career path started with it, and from there, being in the community professionally kept me personally interested as a hobby. Edward also found a connection with his career in IT infrastructure, but still continues self-hosting. It is nice to be able to play around in a low risk/impact environment, he said.

But beyond enjoyment, self-hosters share important principles that drive the desire to self-hostnamely, a distrust of large tech companies, which are known to scoop up all the data they can get their hands on and use it in the name of profit.

Despite new privacy laws like Europe's General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), the vast majority of Americans still don't trust Big Tech with their privacy. And in recent years, the countless privacy scandals like Cambridge Analytica have driven some tech-savvy folks to take matters into their own hands.

I think that people are becoming more privacy conscious and while neither these laws, nor self-hosting can currently easily resolve these concerns, I think that they can at least alleviate them, said Edward.

Some self-hosters see the rising interest in decentralized internet tools as a direct result of Silicon Valley excess. The growth of self-hosting does not surprise me, nodiscc, a co-creator and maintainer of the self-hosted tech list, told Motherboard. People and companies have started realizing the importance of keeping some control over their data and tools, and I think the days of 'everything SaaS [Software as a Service]' are past.

Another strong motivator comes from large companies simply abandoning popular tools, along with their users. After all, even if you're a paying customer, tech companies offer access to services at their whim. Google, for example, is now infamous for shutting down even seemingly popular products like Reader, leaving users with no say in the matter.

KmisterK succinctly summarized the main reasons people have for self-hosting: curiosity and wanting to learn; privacy concerns; looking for cheaper alternatives; and the betrayed, people who come from platforms like Dropbox or Google Photos or Photobucket or similar, after major outages, major policy changes, sunsetting of services, or other dramatic changes to the platform that they disagree with. This last one is probably the majority gateway to self-hosting, based on recent traffic to r/selfhosted, he says. Look no further than their recent Google Photos megathread and recent guides from self-hosters on the internet. For me, changes in LastPass, even as a paid user, had me looking elsewhere.

nodiscc also noted the different reasons people self-host, saying, There would be many... technical interest, security/privacy, customization, control over the software, self-reliance, challenge, economical reasons, political/Free software activism. Looking at the growth of self-hosting over the years, Edward says, These aren't comprehensive reasons but I expect that privacy-consciousness, hardware availability and more mainstream open-source software have contributed to the growth of self-hosting.

These are all good reasons why self-hosting is so essential. Self-hosting brings freedom and empowerment to users. You own what you use: you can change it, keep it the same, and have your data in your own hands. Much of this derives from the free (as in freedom to do what you like) nature of self-hosting software. The source code is freely available to use, modify, and share. Even if the original author or group stops supporting something, the code is out there for anyone to pick up and keep alive.

Despite the individualistic nature of self-hosting, there is a vibrant and growing community.

Much of this growth can be seen on Reddit, with r/selfhosted hitting over 136,000 members and continuing to rise, up from 84,000 just a year ago. The discussions involve self-hosting software that spans dozens of categories, from home automation, genealogy, and media streaming to document collaboration and e-commerce. The list maintained by nodiscc and the community has grown so long that its stewards say it needs more curation and better navigation.

The quality of free and easy-to-use self-hosting software has increased too, making the practice increasingly accessible to the less-technically savvy. Add to that the rise of cheap, credit card-sized single-board computers like the Raspberry Pi, which lower the starting costs of creating a home server to as little as $5 or $10. Between high-available hosting environments, to one-click/one-command deploy options for hundreds of different softwares, the barrier for entry has dramatically been lowered over the years, said KmisterK.

Of course, even the most dedicated self-hosters admit that it isn't for everyone. Having some computing knowledge is fairly essential when it comes to running your own internet services, and self-hosting will never truly compete with big-name services that make it exponentially easier," KmisterK said.

But while self-hosters may never number enough to put a serious dent in Big Tech's offerings, there is aclear need and benefit to this alternative space. And I can't think of a better model for the kind of DIY community we can have, when left to our own devices.

Read the original:
Meet the Self-Hosters, Taking Back the Internet One Server at a Time - VICE