Imagine you're an IT executive responsible for the safekeeping of tens of millions of customer data records. You're storing this data in the cloud because it's unsustainable to maintain it in your own data center. But, just now, you received an email from hackers stating they have gained control of your cloud data and are demanding a hefty ransom to give it back. What do you do?
If you're Uber in 2016, you paid the ransom and hoped the data breach would never surface. But it did in late 2017, and now you're facing angry customers, stakeholders, and regulators. How did you get here, and what can you do to prevent this kind of massive data breach from happening again?
At a time when IT environments are going through a dramatic digital transformation, with legacy infrastructure replaced by modern cloud-based solutions, a new type of enterprise security threat is emerging, riding on the waves of ransomware: Leaking Cloud Buckets.
Leaking Cloud Buckets incidents refer to data being exposed on public clouds, most often as the result of a misconfigured storage bucket. In just the last six months, there has been a wave of these incidents afflicting notable organizations such as Uber, Verizon, Viacom, Dow Jones, and even U.S. military organizations.
Rather than throwing the blame on the unfortunate victims and cloud in general, let us look at the core of the problem. The cause of the problem lies not with the cloud providers involved, be they AWS, Microsoft, IBM, or Google, but with the way they are being configured and used by the enterprise administrators. Eventually, most cases can be drilled down to the age-old problem of user error – no outside hacker necessary.
Perhaps this should not be a surprise. User/admin error has long plagued IT organizations, and Gartner predicts that 95% of cloud security failures will be the customer's fault through 2020. Here's how it happens in the case of those leaking buckets.
Every public cloud storage service offers buckets, a term coined by AWS for the repositories that house data objects on the cloud. (Azure calls them ‘blobs'). Enterprise customers can configure storage buckets in any way they choose, including the region in which the bucket is maintained, the lifecycle rules for objects in the bucket, general access rights, and much more.
But there are two main attributes to these buckets that should not be ignored: (1) cloud buckets are by nature a shared service that resides outside of the virtual private cloud and firewall perimeter (2) cloud buckets are based on object storage, which doesn't enforce file system ACLs that have been used for years by organizations to define file-level granular permissions.
The above inherent weaknesses, coupled with the immaturity of cloud storage administration relative to the decades of enterprise IT experience with tradition storage, results in unprotected storage that is likely to fall prey in the hands of hackers who constantly run their scans searching for the next victim.
Luckily there are simple precautions that can ensure data remains protected within the organization's boundaries:
1. Encrypt data and keep the keys in your pocket - You will sleep a lot better at night if you follow a simple rule: if your data is outside your walls, it had better be encrypted. Just as you wouldn't access sensitive information over public wi-fi without a VPN, so shouldn't you use public cloud storage without proper encryption. If your data is encrypted at rest and only you have access to the encryption keys, then you have nothing to worry about if a storage bucket becomes exposed: encrypted data will be useless to any non-authorized user. This is a vital insurance against the probability – large or small – that someday an error will occur.
2. Manage access permissions – Use a multi-layer access control system that starts from the access permissions of the bucket itself all the way to the file level for the relevant workloads, preserving permissions and connecting them to central directory authentication systems.
3. Invest in data loss prevention (DLP) – Leverage DLP software to monitor data-access patterns and find deviations that can detect data-leakage. These tools also can block policy violations, enabling you to stop users from sending sensitive data outside company walls.
4. Lock down endpoints and offices. Use enterprise EMM/MDM tools to eliminate shadow IT and create secure productivity spaces within corporate-provided and BYOD devices.
5. Periodic penetration tests – Penetration testing is essential when adding new infrastructure to your network, such as cloud storage. But it is good practice to perform regular “pen tests” to evaluate your security posture and ensure no new leaks have appeared over time.
Keep these measures at the top of your data privacy agenda and you can protect yourself against the fate suffered by many leaky cloud bucket victims.