Verizon Data Exposure - A Lesson in Cloud Security Hygiene
Verizon Data Exposure - A Lesson in Cloud Security Hygiene

According to reports, Verizon potentially exposed up to 14 million customers' personal information in a public-facing Amazon S3 (storage) bucket which was managed by one of their third-party vendors. 

While fallout from this incident doesn't seem to be broad at this point, it demonstrates the potential for the mass compromise of corporate and consumer data if proper diligence for security protocol is not maintained.

When analyzing root cause on this exposure of data, a few common mistakes emerge.

  1. This is not the first time that a vendor has caused a large enterprise company significant damage and exposure to potential data breach.  And, the pattern seems to be repeating. Many large enterprises have very onerous vendor management processes that require 18 months to two years to get through and are very detailed in the requirements of the vendor.
  2. However, a breakdown usually happens when those standards are not enforced or audited.  In a complex organization like Verizon, they have tens of thousands of vendors with varying degrees of security standards.  Everything that went wrong in this incident was probably covered by some security compliance standard, however, there was no way for Verizon to enforce these standards at the scale required.  This is why many large enterprises are dictating where their vendors host and what security compliance standards they must adhere to in order to do business.
  3. It only takes one wrong check box in the development process to cause a mistake like this.  When standing up an Amazon S3 bucket, the user has to designate whether or not this bucket is public-facing or not.  If this storage bucket is part of a software program, written to automate the backup of this data, then there was likely a coding mistake that caused this problem. 

Many users of the public cloud believe they are invisible because of the scale of the cloud, and security controls are not always required.  Our honeypot operations show that public cloud customers who have public-facing servers are scanned within 2-3 minutes after provisioning by threat actors trolling for vulnerabilities.   Within ten minutes, a threat actor is trying to exploit those servers if they are vulnerable.  The “big sky, little bullet” approach to security is not sufficient.  When provisioning an environment in the cloud, you must first build out your security controls to protect your data, from day one. 

While cloud platforms offer a myriad of benefits in terms of flexibility and scalability, there are significant responsibilities that users have in terms of maintaining a sound security posture. The idea that a user's role in the security equation can be relinquished just because a popular cloud service is being leveraged is a misnomer.  It is incumbent upon organizations and their vendors to ensure all security protocols are adhered to or risk exposing themselves to data leakage or hacking. 

The cloud can be a wonderful thing, but if security isn't managed properly, it can be a Pandora's box.