It was the kind of mistake that could have easily turned into a security nightmare.
Over the summer, a mistakenly configured Amazon S3 bucket publicly exposed thousands of internal documents belonging to a large hosting provider. The information included usage stats, pricing data, server config information, CPU specs, hostnames, operating systems and server loads.
In this instance, the problem was caused by an AWS salesperson who had failed to follow best practices for storing information. Luckily, no customer information was in the exposed bucket. But this is turning into an increasingly common occurrence. Similar situations have affected multiple companies, sending them scrambling after misconfigurations in an S3 bucket accidentally exposed classified data.
These types of examples really add validity to Gartner’s quote that “through 2022, at least 95% of cloud security failures will be the customer’s fault.” I’ll talk momentarily about how your organization can avoid becoming the next headline, but it’s important to first consider how we’ve reached this point and why this problem has become increasingly commonplace.
The Perfect Storm
Up until around 3 years ago, I’d commonly hear customers state that “the cloud was insecure.” People clung to a perception that cloud computing was not just rife with risk but opaque; that you would hand over data and it would wind up on a server somewhere without the owner having any idea about the location or the way their information was being handled. Or the fact that because they couldn’t use their old guard security tools in the cloud, meant the platforms weren’t ready.
Since then, the cloud providers have done a lot of heavy lifting to knock down these concerns by offering compliance with the likes of regulations, including SOX, ISO and HIPPA, and landing very security conscious customers like the CIA with the FBI and Pentagon following suit. All the while educating customers about what cloud providers were doing with security and customers’ responsibility when it comes to security in the cloud.
The result: worries dissipated as people began to realize that in certain respects they were even more secure in the cloud. As big financial institutions and government agencies got up on stage at keynotes and talked about how they were rapidly adopting cloud computing, much of the rest of the working world followed and a massive shift ensued.
Unfortunately, there are cracks in the system, and those cracks are the same customers rushing to use the platforms. So why are people making mistakes when it comes to cloud adoption? Let’s talk about two reasons which are shortage of skilled personal and a new consumption path.
Along with the huge adoption of the cloud, there’s also a huge demand for people who know the cloud – a good way to see this is by looking for any job in IT and see what employers want. For example, check out the Robert Half Technology 2016 Salary Guide. The list of Hot Certifications included Cisco Certified Network Associate (CCNA), VMware Certified Professional (VCP), and Microsoft Certified Professional (MCP). Now check out Robert Half Technology 2019 Salary Guide and notice the difference: added to the list are AWS, MCSE: Cloud Platform and Certified Ethical Hacker (CEH) certifications. Why the change? – simple supply and demand. There is so much momentum for companies to hire professionals that can really use the cloud to its full extent, that there simply aren’t enough people to fill those jobs. Put cloud security on top of that list of skills required, and your supply of knowledgeable workers gets even smaller.
At the same time, think about how the cloud changes IT consumption. In an on-prem world, if you want to share files, you’ll first try to send it via email, and if that doesn’t work (probably because the files are too big), you’d go to helpdesk or IT, ask about a network share or some other way to host files and share externally. Whether it was intentional or not, the IT administrator would have visibility into what you’re doing. He’d either use LDAP, Active Directory or something else to know who has access to the data and set up the share himself. There was a well-practiced process for procuring IT resources, and security was somewhere in that process to make sure you weren’t doing something you shouldn’t.
Unfortunately, there are cracks in the system, and those cracks are the same customers rushing to use the platforms.
In the cloud world, you can literally launch services and standup an entire data center within minutes by pressing some buttons – which is awesome by the way! You can take almost anything that someone gives you, drop it into an S3 bucket and publish a link. Gone are the days where you need to go through the conventional IT procurement process to get up and going.
It’s not that most employees acting in this way are malevolent or out to inflict harm on the organization. They’re just eager to get the job done. This is why people (including me) love the cloud so much: we can do so much more, faster, and with less resources. But because we can do this faster, and in a self-service manner, companies haven’t established procedures to make sure we’re doing things securely.
And it’s not as if there aren’t adequate security controls around S3 or other cloud services. In fact, after AWS saw customers using S3 incorrectly, it released Trusted Advisor checks for S3 for free. In the end, everything depends on the person actually pulling the levers on the cloud. Let’s not kid ourselves; the truth is that too many of them are going to make mistakes.
Advice to CISOs:
Your first order of business should be to understand how you’re using the cloud - or even whether you’re using it all. I’ve encountered situations where the security team didn’t even know the company was storing sensitive data in the cloud. A good tool for this is Symantec Cloud Workload Protection (CWP) for Storage. If you haven’t played with this product, you should give a shot. You can try it absolutely free for 30 days in the AWS Marketplace, and if you decide to keep using it you only pay for what you scan: no contracts.
The great thing about CWP for Storage is not only does it scan for malware in objects that you upload to S3, it also automatically discovers your S3 buckets and alerts you to policies that go against AWS Best Security Practices. This is a great tool if you’re one of those companies that doesn’t have a cloud security expert (or the time to become one) and need to know if you’re using S3 correctly. A lot of our customers really like the fact that you can stand up CWP for Storage in your own VPC and that the solution automatically scales up and down to save you on costs.
If you’re interested to learn more, check out our case study on How Snapper Protects Amazon S3 with CWP for Storage.