A recent data breach at Dow Jones exposed data including names, addresses, and partial credit card numbers from millions of customers, according to a Monday report from UpGuard. The reason for the leak? Dow Jones simply chose the wrong permission settings for the Amazon Web Services (AWS) S3 data repository.
By configuring the settings the way it did, Dow Jones essential gave any AWS users access to the data. While this seems like an oversight that would be easily caught by an admin, common sense mistakes are rampant among large companies racing to get their data to the cloud.
In July 2017, Verizon confirmed a leak of data from some 6 million customers, due to a leak brought on by a poorly chosen security setting on an S3 repository. Additionally, a GOP voter records leak of the personal data of almost 200 million Americans, called the “largest ever” of its kind, was also attributable to poor S3 security.
SEE: Complete IT Cloud Security & Hacking Training (TechRepublic Academy)
So, what gives? Is AWS to blame for all these breaches affecting S3? In short, the answer is no. In an effort to move quickly to the cloud, gaining the competitive advantages promised therein, many organizations overlook key steps in securing their cloud data.
RSA senior director of advanced cyber defense Peter Tran said that cloud security is in a “delicate state of transition,” with a massive surge of cloud migrations happening in the past year. Additionally, the desire to move to the cloud as fast as possible has been driven by organizations looking to get away from aging legacy infrastructure and take advantage of cloud flexibility. And the sheer speed of the “cloud first” movement has led to security gaps, specifically regarding identity management and access controls, Tran said.
“The ‘lumpiness’ in cloud security happens when business risks aren’t aligned to technology risks and there are blind spots in design, deployment, implementation, governance, policy and compliance….flying a plane with no windows or instruments….exposures and mistakes can happen,” Tran said.
When it comes to data security in the enterprise, the margin for error is slim. But, it’s even smaller when it comes to cloud security, Tran noted. If you miss the mark even slightly, the results could be catastrophic.
According to Rob Enns, vice president of engineering for Bracket Computing, the prevalence of the S3 breaches highlights the fact that organizations must own their cloud security–they cannot outsource it.
“Enterprise security architectures must expand to include cloud services in addition to on-premise data centers,” Enns said. “To manage complexity in these new environments, consistency from on-premise to cloud (and across cloud service providers) and enabling IT to retain control of information security gives application architects and developers a base on which they can move fast while remaining compliant with the enterprise’s security requirements.”
When considering a public cloud storage provider, Tran said, businesses should look at both the Service Letter Objective (SLO) and Service Letter Agreement (SLA) to determine what level of risk they’re willing to take on, as they address different issues. Sometimes, the risk is too much and it needs to be left on the table.
The 3 big takeaways for TechRepublic readers
- Poor cloud security practices have lead to AWS S3 data leaks at Dow Jones, Verizon, and a GOP voter analytics firm, putting user data at risk.
- As companies race to the cloud, they are forgoing proper security practices and aren’t properly aligning the risks with the business needs.
- Companies need to own their cloud security, examine the SLA and SLO, and decide what they’re willing to take on in terms of issues and risk.