I was pulling out of my driveway today on my way to an important customer meeting and found myself stopped, waiting for a FedEx truck to pass. As it was going by I couldn’t help but think of the FedEx AWS S3 bucket exposure incident from February of 2018 that leaked data for tens of thousands of people like me. Here we are a year later, and I’m left wondering what they were doing to track and secure cloud storage resources and ensure my personal data was safe.
Perhaps the memory of the FedEx exposure wouldn’t have come to mind, but even after all the times incidents like this have made the news, public cloud, object store bucket exposures are still showing up in my news feed including major names like the Dow Jones, which also had a leak reported in July of 2017. In fact, it has become almost routine news to hear about open buckets discovered by security researchers trying to set an example of a company’s security lapses or because data has been maliciously exposed. The list just keeps growing as IT operational and security teams learn hard lessons about predictable bucket naming constructs and new forms of access control.
Let’s face it, humans aren’t perfect. Despite our due diligence, warnings, double- and triple-checking or anything else we may put in place to ward off mistakes, disaster will eventually strike and sensitive personal customer data may become public. When—not if—that happens, it can cost your company far more to repair the damage than it would to proactively apply data protection controls. As they say, penny wise pound foolish.
Implemented correctly, secure cloud storage can help organizations deal with runaway growth, data center capacity limitations, device failures and technology obsolescence issues. Object storage elegantly solves many traditional data management challenges, and with that in mind, here are a few guidelines to help reduce your chances of exposing customer data stored in S3 buckets:
- Check bucket permissions regularly. Even if they were properly set at one time, in a world of shared administration and sometimes shared credentials, those permissions may no longer be right. Set the shortest cadence that you can hold to and be sure to re-check all your bucket permissions on that cadence.
- Limit the number of privileged users on any S3 buckets. It goes without saying that if you have fewer administrative users there are fewer people to keep in sync with your organization’s best-practices for bucket permissions. Also take the time to understand S3 permissions and authorization so you don’t inadvertently open yourself up to certain nuanced attacks like GhostWriter.
- Restrict the breadth of data held in any one bucket—if possible. This might be a bit harder, but if you can avoid leaking both names and social security numbers at the same time, for example, then you have reduced the usefulness of any data gleaned during an exposure incident.
- Most importantly, protect the data and encrypt it in a way that access through a secondary tool is needed to read cleartext content from your buckets using strong, certified algorithms (such as AES-256). If you’re doing this, then even a bucket accidentally set to allow public reads can’t single-handedly drag your company’s name through the news as the latest personal data exposure.
As I like to say, prevent all you can, but after all you can do, prepare for the worst. Creating secure cloud storage is a new discipline for most, and there’s a whole hacker cottage industry developing around finding and exploiting S3 buckets. Checking your bucket permissions regularly and restricting the number of privileged users will help you prevent a problem; limiting the breadth of data and ensuring a constant state of encryption will help you prepare for the worst.
Recently I had the privilege to co-host a webinar with Dr. Larry Ponemon on the perceptions around object storage and migrating data to the cloud. It really brought to light that reservations around security like I’ve described above may be leading to lower than expected adoption rates, and that the only true way to feel secure is to manage security of the data client side before sending it to the cloud. It also highlights the interest and confidence in emerging multi-cloud technologies like those offered by SecurityFirst. You can find a replay of the webinar here.