Although the Amazon backup system Wharton uses could have leakages related to user-indicated settings, the school claims its precautions will prevent any issues.
A recent report by penetration testing company Rapid7 indicated that one in six storage buckets that Rapid7 found which are stored in the Amazon Simple Storage Service, which is used in the Wharton School for classroom recording backups, has been set as open to the public.
This may lead to potential leakages of sensitive and confidential information for users, but is an issue caused by a settings misconfiguration by owners of the information rather than Amazon itself.
“The worst case scenario is that a bucket has been marked as ‘public,’ exposes a list of sensitive files, and no access controls have been placed on those files,” Rapid7 security researcher Will Vandevanter wrote in the report.
However, Antonio Vivas, IT director of Wharton Computing, indicates that the information Wharton keeps in the Amazon S3 server is secure.
“[Information breach] is always a concern, but in order to watch classroom recordings, students have to be authenticated and authorized in Spike; videos are never exposed to the public directly,” he said in an email.
Starting two years ago, Wharton transitioned from backing up classroom recordings on tape to storing them in Amazon’s cloud server. The transition was mainly motivated by the fact that backing up recordings to tape was inefficient and unreliable, with the process taking up to three days. The amount of data to be backed up at that time is approximately one terabyte, the equivalent of the storage capacity of around four computer hard drives.
This transition also indicates a significant save in costs of backing up classroom recordings. Currently, the school only has to pay for the transferring of information out of the school server.
The savings is estimated to be up to $100k a year, according to Vivas. This includes eliminated expenses on buying physical tapes, licensing fees and storage fees needed to keep a local copy of 12 terabytes of data. Moreover, under the current Penn contract, the school is not charged for storing data with Amazon as well as transferring data into Amazon servers.
Currently, most classroom recordings of Wharton classes are available through Spike to all Wharton students. Some selected recordings are only available to students enrolled in that particular class and require authorization in order to be viewed.
The cloud-based backup system offers many benefits in improving reliability and efficiency, according to Vivas. Besides being able to record and store more data without being physically constrained by the school’s back-up system, Amazon also provides complementary services.
“We are taking [] advantage of Amazon streaming capabilities,” he said, “which removes the need of having a major streaming infrastructure.”
This article has been updated to reflect that the potential security issue comes from user-controlled settings and that security has not been breached. In addition, the one in six buckets set to the public by the user are in the group Rapid7 found.
The Daily Pennsylvanian is an independent, student-run newspaper. Please consider making a donation to support the coverage that shapes the University. Your generosity ensures a future of strong journalism at Penn.
DonatePlease note All comments are eligible for publication in The Daily Pennsylvanian.