By: Alex Burkardt|
February 6, 2020|
When Cloud Misconfiguration Risks Threaten Your Data
Security concerns that were common in the nascent stages of cloud infrastructure are mostly a memory. Cloud adoption is now widespread and security for both public and private clouds has improved considerably. Even so, data in the cloud is unfortunately still vulnerable due to a different challenge – cloud misconfiguration.
Many recent instances of misconfigured clouds show data being exposed or breaches occurring in healthcare, finance, telecommunications, hospitality, technology―almost every sector is vulnerable. For example, last year’s high profile breaches at Capital One and Facebook resulted from misconfigured AWS S3 buckets (where objects are stored). Research released in September 2019 by McAfee noted that the “majority of IaaS misconfigurations go unnoticed… only 1% are reported, which may suggest countless companies are unwittingly leaking data.”
One of the predominant reasons for this development is that most leading cloud providers maintain a “shared responsibility” model, wherein the provider bears responsibility for protecting its hardware and software infrastructure, but the customer bears responsibility for protecting the data that it puts there. The Oracle and KPMG Cloud Threat Report 2019 revealed that 90% of Chief Information Security Officers (CISOs) do not fully understand their team’s role in that shared responsibility model; although 49% said they expect to store the majority of their data in a public cloud by 2020. Well, here we are.
When deployment of cloud workloads (like IaaS, PaaS, SaaS, containers and serverless), and cloud security services (like networking, encryption, WAF and SIEM) are not automated, configurations are done manually, increasing the chances for human error. Default configurations can also cause problems.
For example, the Box breach from March 2019 that left hundreds of thousands of sensitive documents exposed was actually the result of a default setting that was easily exploited by security researchers. While it worked exactly as designed, the Box deployment was misconfigured by users. Box has since changed those default settings. And, to its credit, AWS now proactively scans customer accounts to warn customers of any misconfigurations that may surface.
Other common errors include insufficient access restrictions, not following internal security policies, and failing to audit resources. But while some may like to “blame the victim” for not adequately securing access to their data, even firms who are highly sophisticated and mature in their security approach can still get hacked―attackers these days are very resourceful.
Consequently, protection needs to get down to the data itself. A variety of market solutions address file and content protection across various third party repositories. While most are well-suited to defending static data, protecting data in motion is equally important and must be factored into the solution. Given the extent to which data-sharing with third and even fourth parties is regularly practiced, one simply can’t anticipate where sensitive data might end up.
Further, protecting data in the cloud has to be approached as part of a robust ecosystem of security technologies, rather than as a vendor-specific or niche concern. Data-level defense needs to integrate with varying parts of a complex security infrastructure, readily working with other important components of the stack like data classification, data loss prevention and activity monitoring products.
VERA’s trusted architecture makes it easy for organizations to secure a variety of file types in the cloud, including any files that are accessed because of a misconfiguration. Our powerful platform protects structured and unstructured data through encryption, access control, and dynamic policy that dictates what users can and cannot do with the data – when they have authorized access and when they don’t. Easily integrating with existing business productivity, collaboration and security systems, VERA protects any file type, in the cloud or on-prem, keeping data secure, fully track-able and, most importantly, revocable.