Earlier this month, Patient Home Monitoring Corp. exposed more than 150,000 patient records as a result of a misconfiguration in its Amazon S3 cloud storage repository. In July, personal data of 198 million US voters was exposed, also because of an S3 misconfiguration, this time by the data company Deep Root Analytics. Also in July, a news report came out saying Verizon’s Israeli partner Nice Systems had exposed 14 million Verizon customers’ data, again because of an S3 misconfiguration.
And the problem is growing worse.
According to a report released this month by RedLock, 53 percent of organizations that use cloud storage services like Amazon S3 have accidentally exposed at least one such service to the public.
"This is worrisome, because this number is up from 40 percent as reported by the team earlier in May and occurring despite warnings from Amazon to customers about the risks of misconfigurations," Varun Badhwar, CEO and co-founder at RedLock, told us.
In addition, 38 percent of organizations have administrative user accounts that have been compromised, he said.
A particularly embarrassing recent breach was when the technology services giant Accenture accidentally revealed internal data -- including cloud platform credentials and configurations -- when it allowed public access to four of its Amazon storage buckets.
"They were fortunate in that the exposed data was discovered by someone who chose to assist in preventing damage," said Hitesh Sheth, CEO at Vectra Networks. "It could just as easily have been used for snooping and data gathering on many large enterprises with very harmful effects."
Even the most security minded companies can fall victim to human errors, he added.
In the case of the Amazon S3 problems that have been hitting the headlines, these cloud storage buckets are set to private by default, said Javvad Malik, security advocate at AlienVault.
"A company has to explicitly allow public and unauthenticated access," he said. "So, it would appear it’s more of a skills gap in understanding how cloud access works and should be controlled rather than anything overly complex or a failing on behalf of the cloud provider."
Start with Training
Employees who manage sensitive data need security training, and many of them do not, said Vectra's Sheth.
With cloud, the situation is even more complicated, because the technology is new to many companies, and there isn't enough experienced staff to go around.
"People just say, let's shoot it up to the cloud," said Neil Weitzel, director of security research at Cygilant. "But it's not just a set-it-and-forget-it operation."
Not only do companies need to understand the security controls they're implementing, but they need to stay on top of those controls as long as they continue to use the platform.
"Yes, it's a lot of work," he said. "The actuality is that running something in the cloud is just as much overhead in terms of personnel as running your own data center. You are still administering infrastructure."
Take Care of the Basics
In addition to training, companies often fail to take care of basic security.
That includes locking down root account credentials and enforcing multi-factor authentications, said Jaime Blasco, AlienVault's chief scientist.
Companies should also run vulnerability and penetration tests, Blasco added, though Amazon has to give permission first if the tests are on their services.
In addition, for Amazon storage specifically, companies should check the permissions of their publicly accessible S3 buckets in their AWS magazine consoles and confirm that they are not accessible by everyone, said his colleague, AlienVault threat engineer Chris Doman.
Other basic security measures would also help, including logging, network segmentation, and encryption.
"You have to approach it like you would any other local network," said Joe Partlow, CTO at ReliaQuest, an enterprise IT security provider. "All the basic principles still apply but must be tailored to accommodate this wider, more open environment."
Vendors Can Be Doing More
Given the risk of substantial data loss due to configuration errors, companies should be more careful when selecting cloud vendors.
"Companies must use cloud services that integrate security conveniences, such as authentication, single sign-on, on premises integration; and self-services, such as registration and password reset, for employees and customers," said Justin Somaini, CSO at SAP.
In addition to providing better security tools, vendors can also do more to make those tools easier to use.
"The challenge is that cloud computing is very complex," said Ali Din, CMO at DinCloud. "The convergence of servers, networking, and storage, and very complex cloud orchestration tools can and should be simplified to help organizations get their arms around the areas of exposure. More simplicity enables more control.”
But that doesn't mean cloud vendors are dropping the ball.
"For big providers, their aim is growth and to serve every customer use case," he said. "That means they have to put a control and lever for every imaginable setting and configuration choice. This leads to complexity. If you merely look at the drop-down of services AWS has on its website, it is overwhelming."
However, there are consultants and vendors who are helping companies train their staff, and some are also provided simplified interfaces.
"There are providers in the market that have built more simple to use cloud consoles and offer more hand holding to customers," he said.
Another option is to use tools that specifically look for cloud setup problems, said Ariel Tseitlin, partner at Scale Venture Partners, who is an investor in Threat Stack, a company doing just that.
"Their technology can identify and prevent many of these cloud security breaches” that result from cloud services being misconfigured or improperly locked down, he said.
