Page 25 - Cyber Warnings
P. 25
What s the Matter with S3?
Public cloud breaches are becoming more frequent. Can anything be done?
Another week, another story about how data stored in the public cloud has been stolen or left
unprotected. This week it was the account PINs of 6 million Verizon customers. Last week it
was 198 million American voter records—99% of the enrolled populace—found to be publicly
accessible on an Amazon S3 server. The week before that, 60 thousand government files—
28GB of Department of Defense data—sat unencrypted and unsecured on another S3 server.
This is a big deal.
It’s not only the quantity of data, it’s what it includes. In the case of the former, nearly a dozen
passwords granting Top Secret clearance, along with login and security credentials, were lifted.
For the latter, birth dates, home addresses, phone numbers and predictive preference data
used to track hot button issues like abortion, gun ownership and religious affiliation were
compromised. The next loss is not a matter of if, but of when.
The Cloud Should be Handled with Care
There’s no doubt what a boon the cloud has been to enterprise and government. Previously,
developing and deploying applications was a long and complex process. Today, enterprises can
move with much more velocity by leveraging the self service infrastructures set up through
Amazon, Google, Microsoft, and others. With self-service we get better agility, but assume
higher the risk.
This is not to say the cloud itself is insecure, in fact is quite the opposite, rather, the security
practices of enterprises have not adjusted to the nature of the cloud. In the cloud the security
perimeter is at the resource (e.g. object, server or disk) rather than at the network gateway –
This means that every piece of data, server and service needs to be separately secured and
controlled. This leaves lots of room for error or even worse malicious insiders. All it takes is a
quick skim of the headlines for one to wonder how the enterprise will contend with the promise
of the cloud and the near surety of compromised data.
Control Without Compromise
With these S3 breaches there are a series of good solutions – most notably is a strong
“separation of control” process. This means that an developer that has rights to store data use
and manage the data, does not have the rights to set the security level for that data. In addition
most organizations that use S3 also utilize encryption, policy and network controls to further
secure the data.
However, piecing together these solutions adds significant operational overhead to manage
accounts, write IAM policies and find vendors to add each security level amount of overhead to
the process, with security sometimes taking precedence over the application itself.
25 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
