This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today in Health it Microsoft Azure Vulnerability. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT a channel dedicated to keeping health IT staff current and engaged. VMware has been committed to our mission of providing relevant content to health IT professionals since the start.
They recently completed an executive study with MIT on the top Healthcare trends, shaping it, resilience, covering how the pandemic drove unique transformation in healthcare. I. This is just one of the many resources they have for healthcare professionals. For this and several other great content pieces, check out vmware.com/go/healthcare.
Alright, here is today's story, and this is a big one if you are in Microsoft's cloud. So Microsoft warns thousands of cloud customers of exposed databases. This comes from Reuters, and I'm just gonna read a couple clips here from the story. Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world's largest companies that intruders could have the ability to read, change, or even delete their main databases.
According to a copy of an email and a cybersecurity researcher, the vulnerability is in Microsoft Azure's flagship Cosmos db. Database. A research team at Security Company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz, chief Technology Officer, Amy lut, wack.
Is a former Chief Technology Officer at Microsoft's Cloud Security Group because Microsoft cannot change those keys by itself. It emailed the customers Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw in reporting it according to an email it's sent to Wiz.
We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated. Vulnerability disclosure, Microsoft told Reuters Microsoft's email to customers said there was no evidence the flaw had been exploited. We have no indication that external entities outside of the researcher Wizz had access to the primary read write key.
The email said this is the worst cloud vulnerability you can imagine. It is a long lasting secret look like Told Reuters. This is the central database of Azure and we were able to get access to any customer's database that we wanted Lit. WAX team found the problem, dubbed Chaos DB on August 9th, and notified Microsoft on August 12th Lit Wax said it goes on.
The flaw was in a visualization tool called Jupiter Notebook. Which has been available for years, but was enabled by default in Cosmos, beginning in February after Reuters reported on the flaw. Wiz detailed the issue in a blog post. Litwack said Even customers who have not been notified by Microsoft.
Could have had their keys swiped by attackers giving them access until those keys are changed. Microsoft only told customers whose keys were visible this month when Wiz was working on the issue, Microsoft told Reuters, the customers who may have been impacted received a notification from us without elaborating.
It closes out with this. Problems with Azure are especially troubling because Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security. But though cloud attacks are more rare. They can be more devastating when they occur.
What's more, some are never publicized. A federally contracted research labs tracks all known security flaws in software and rates them by severity. But there is no equivalent system for holes in cloud architecture. So many critical vulnerabilities remain undisclosed to users. Ludwick said. So there you have it.
What's the so what for this? Anytime we do a security. Story, the so what is gonna be to be as secure as you possibly can. So no matter what your architecture or where it is, hosted security is your responsibility. This is a big one. I would assume you already know this. You know about this if you are in the Azure Cloud, if you're using these databases, you've been notified and you've changed your keys.
But if you haven't. It's probably imperative that you do it. This story came out last week. You've been notified for over a week. These keys need to be changed immediately, but I will caution you against the natural knee jerk reaction, which is to say, see, the cloud isn't secure, or The cloud has vulnerabilities.
Of course, the cloud has vulnerabilities. This is why security is always your responsibility. But the reality is we have far more holes in our locally run data centers than we have in our cloud systems, and we have many more. . Professionals who are working on these cloud systems who oversee them. Now, I'm not saying that in, in order to say we abdicate our responsibility in terms of security, we should always be working on security.
We should always oversee any of our hosting providers, be it a co-location arrangement, or a full-blown cloud outsource or even a cloud application outsource. Security remains your responsibility. That's all for today. If you know someone that might benefit from our channel, please forward them a note.
They can subscribe on our website this week, health.com or wherever you listen to podcasts. Apple, Google Overcast, Spotify, Stitcher, I. You get the picture. We are everywhere. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, VMware Hillrom, Starbridge Advisors, McAfee and Aruba Networks.
Thanks for listening. That's all for now.