According to Gartner, 95 percent of the security failures in public cloud environments through 2020 will be the customer’s fault rather than the cloud service provider’s.
As businesses continue to migrate production workloads and valuable data into public cloud services like Amazon Web Services and Microsoft Azure, we are already starting to see the catastrophic consequences of misconfigurations and process failures.
Here are five incidents from just the past few months that were purely the result of operator error and could have been entirely avoided.
1. That Time 3 Million People Got Their Privacy Body Slammed
Just a few weeks ago, the WWE (yes, that WWE) exposed the private information of over 3 million users by failing to properly protect a portion of its cloud environment.
The email and home addresses of these poor unfortunate souls were placed by the WWE IT experts in an exposed S3 bucket with absolutely no password protection or other security safeguards. This single oversight was soon discovered and exploited by an industrious hacker and thus one of the biggest data breaches in recent memory was born.
Remember this – if data is left exposed in a cloud environment, it will (not may, but will) be probed and breached within a few minutes or hours. There are automated scripts that scan the space of IP addresses for open ports and accessible data.
2. I’ll See Your 3 Million and Raise You
Never one to be outdone by some wrestling organization, telecom titan Verizon had its own AWS security issue just five days after the WWE’s.
Once again, a poorly configured S3 bucket was discovered and breached by intruders. This attack, however, dwarfed the one on the WWE by exposing the phone numbers, names and pin numbers of over 6 million Verizon customers.
It wasn’t some unforeseeable malfunction or advanced attack that led to this disaster. Verizon told CNN soon after the attack that it was placing the full responsibility for the breach on “human error.”
3. Dow Jones Makes It a Hat Trick
Barely a week after the Verizon data breach, Dow Jones reported that personal and financial details of over 2 million customers were exposed due to a configuration error of a cloud storage server.
The misconfiguration was very simple — an S3 bucket was configured in such a way that any authenticated AWS user could access the bucket, not just the admins/power users within Dow Jones who were authorized to see the information.
The impact of this error was significant — the S3 bucket contained sensitive information including names, physical and email addresses and last four digits of credit cards of Dow Jones customers.
4. Taking a Small Byte of Sensitive DoD Data
In what is clearly as an emerging pattern in data exposure, sensitive files related to the US National Geospatial-Intelligence Agency (NGA), an agency within the Pentagon that collects and analyzes geographic information for national security purposes, was exposed to the public a few weeks ago.
This is the kind of data that would require top secret-level security clearance to access, and yet it was stored unencrypted in an S3 bucket which itself didn’t have password protection and was accessible by anyone.
5. The One about a Bank Heist
A few months ago, Scottrade Bank, a subsidiary of Scottrade Financial Services, faced a situation that’s the stuff of nightmares for a trusted bank. A security researcher revealed to the bank that an exposed MSSQL database containing sensitive information about at least 20,000 customers was left exposed and unprotected. While the situation was fixed promptly, it is unclear how much damage it caused.
A quick investigation revealed that a third-party IT vendor that Scottrade worked with, Genpact, uploaded the sensitive data to one of its cloud servers that did not have all security protocols in place. This was a case of an operator error in the way protected data was handled by the partner.
Recap and Lessons Learned
What’s common across these data exposures?
- Data in the Public Cloud: Most if not all of them involved exposure of data in S3 buckets. Amazon S3 is a very popular cloud based object storage service, and a staple of most AWS environments from the earliest days of the cloud service. These breaches reinforce the one-strike rule for security in the public cloud. A single vulnerability, or security, or process lapse can expose private data to the world. In no way does this imply that S3 itself is not secure — AWS has invested heavily in ensuring the security of its cloud service. But S3 admins and users need to understand and use the security controls offered by AWS to lock down their buckets
- High Value Exposure: Enterprises are getting comfortable with putting their sensitive customer and employee data in the public cloud, recognizing that public cloud services are in reality more secure than most datacenters. But when this data gets exposed, the cost in terms of monetary value, loss of reputation and national security risk, is high.
- The Human Element: All these exposures happened because of an avoidable operator error, either because access permissions for S3 buckets were misconfigured, or because someone put sensitive data in an unprotected data store. The challenge with managing security in the cloud is that it needs to be done right every time consistently, even as cloud environments change.
So, what can you do about it?
For one, learn about the controls available in public cloud environments such as AWS to protect your data from exposure. Securing S3 buckets to prevent accidental data exposure is often poorly understood and badly implemented by their users, even someone as technically savvy as an engineer with one of the world’s leading defense contractors. We published a blog post a few weeks ago about finding and exposing exposed S3 buckets. Read it and learn how you can lock down your environment.
Think about security in layers (defense in depth). Make sure you’re encrypting data (at rest, in motion and in use), applying password protection best practices, and configuring access based on the principle of least privilege.
Tools such as Dome9 Arc can give you better visibility and control over your security posture in public cloud environments, with automated security and compliance assessments and active protection. Learn more about how these tools can help you manage security more effectively in the public cloud.
Patrick Pushor from Dome9 will also be presenting on the topic of securing S3 buckets at the upcoming AWS Summit in New York. If you’ll be at the event, please drop in!