As organizations of all sizes flock to public cloud environments like Amazon S3 and Microsoft Azure, an incredible number (one report says up to 40%!) are failing to close the proverbial door behind them—and leaving huge volumes of sensitive data exposed to public view. The resulting information security problem, which has been well publicized yet remains rampant, is caused by basic configuration errors related to access permissions.
Much of this inadvertently exposed data has been found in Amazon S3 buckets, seemingly because their default access is “public.” Even some of the world’s largest and most sophisticated enterprises have invited disastrous cyber security attacks in this manner, exposing everything from backup files to virtual hard drives to login credentials for clients’ systems to their own customer lists.
Is Public Cloud Storage Safe and Secure?
Recent Events Highlight Cyber Security Risks
The recent exposure of sensitive credit, mortgage and US Census Bureau historical data from 123 million US households was just the latest in an ongoing stream of similar (and entirely avoidable) breaches. These troves of sensitive data delight hackers, who use the “digital bread crumbs” to launch targeted identity theft and other attacks around finances, criminal or medical records and even tax issues.
Other spectacular “open bucket” cloud storage data exposures in recent months include:
- Intelligence Data Exposed (November 2017) – Massive amounts of top-secret US Army intelligence data that may have compromised Pentagon systems, including private keys and hashed passwords used by a third-party contractor to access intelligence infrastructure.
- Accenture Breach Caused by Misconfigured AWS Server (October 2017) – Hundreds of gigabytes of customer and company data left unprotected on Amazon S3 by the professional services giant Accenture. This embarrassing and potentially devastating data leak underscores how even the most technically sophisticated organizations are at risk from cloud server misconfiguration. Hackers could use this data, which included passwords, decryption keys and proprietary software source code, to impersonate Accenture and infiltrate its clients’ networks and databases.
- Verizon Leaked 6 Million Users’ Personal Data (July 2017) – Verizon’s online leak of personal data impacting six million customers due to a similar security misconfiguration. Besides identity theft, hackers could use this data to sever account holders’ access to their Verizon accounts.
- RNC Voter Data Exposure (June 2017) – of a wide range of personal data on about 200 million conservative voters in a misconfigured Amazon S3 bucket belonging to Republican National Committee vendor Deep Root Analytics.
With so many companies moving data and applications to the cloud so quickly, it’s perhaps not surprising human error is occurring on a grand scale. It’s also no surprise cyber criminals are right there waiting to take advantage of these missteps.
When it’s so easy to spin up and remotely configure cloud servers, implementing security protocols can be an afterthought. These breaches underscore that security teams are finding it increasingly challenging to maintain basic security controls in the new cloud environments—putting their organizations’ network, critical applications and all manner of data at risk.
How to Keep Your Company Data Safe in the Cloud
As companies increasingly use cloud services, they need to evaluate, institute and enforce cloud security controls across IaaS environments and SaaS applications. These configuration steps (e.g., access permissions and encryption of data in the cloud) are independent of the security the cloud provider enforces.
Such policies are essential to retaining control of your data as it crisscrosses various cloud services, including those of third-party vendors as well as cloud providers. Without them, data leaks and breaches like those listed above will occur as a matter of course.
To talk about the best way for your organization to approach cloud and SaaS security, contact Pivot Point Security. We can also help you validate your current security controls are working properly and that your cloud-based resources, including those managed by third-party service providers, are secure and access is properly configured.
It’s a process made up of things you already know –
and things you may already be doing.