If a high-tech company can’t get the security configuration right for its cloud-based storage, who can? In February 2018 the electric vehicle maker Tesla discovered that hackers had for several weeks been mining cryptocurrency in its cloud data servers. Hackers had successfully disguised their activities on the Amazon Web Services (AWS) by hiding digital currency processing behind CloudFlare content delivery services. Tesla’s storage maintained data on vehicle telemetry, mapping and servicing data.
RedLock, a cybersecurity vendor, estimated that 58 percent of organizations using cloud storage services such as Amazon S3 and Microsoft Azure Blob storage exposed the services to the outside world.
High-profile headlines about world-famous organizations that many consider technologically savvy may leave business managers wondering if cloud technology is ready for prime time. Another February 2018 headliner involved the exposure of customer data maintained in FedEx AWS buckets. The Simple Storage Solution (S3) buckets at the core of AWS are logical (not physical) storage containers for data and how the data is organized (called metadata). FedEx’s S3 breach involved 119,000 scanned passports, drivers licenses and U.S. post office declaration forms that included personal information.
Revelations that Verizon-Nice, the Republican National Committee (RNC), World Wide Wrestling Entertainment and Dow Jones had customer records exposed on AWS3 sent a steady stream of jolts through the business world in 2017. Verizon alone had between 6 and 14 million customer records exposed that same year. Many are already questioning how secure their network is, so is migrating operations to the Cloud really worth the risk of exposure of sensitive data?
The overwhelming majority of organizations throughout the world have invested heavily in acquiring and managing their own IT hardware, software and staffs to develop and maintain it all. Cloud services offer a way for companies to consolidate the investments with those of other organizations to dramatically reduce operational costs and to gain a level of IT flexibility and scalability previously only dreamed of.
Cloud services to organizations provide information technology (IT) economies of scale that promise to dramatically lower the cost of IT infrastructure maintenance and development of new products and services.
Cloud vendors already offer three services that are already transforming the way IT models support organizations: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Two deployment offerings provide companies and governments flexibility and scalability to meet their evolving needs: Private and Public leasing arrangements of Cloud assets as well as a combination of each.
Built to Serve
Cloud vendors like Amazon, Google, Salesforce.com, Hewlett-Packard and more provide broad platforms on which other organizations can rest their IT departments. With the growing sophistication of Cloud technologies comes a differentiation of services to support the largest organizations and individuals alike:
Infrastructure as a Service (IaaS) provides the hardware and operating systems IT departments need to host generic software applications like MS Office and applications customized to meet their organization’s unique requirements; for instance, specialized budgeting software and order processing applications.
The advantage of going into the Cloud for IaaS is the technology takes the guesswork out of budgeting for items like server build-outs and supporting operating system support. Instead, organizations can scale up the amount of storage they need when the time comes, and rapidly reduce infrastructure support as they retire legacy systems.
Amazon Web Services (AWS), Rackspace.com and Gogrid.com are popular IaaS providers.
For more than 10 years Amazon has been offering cloud services to businesses that want the scalability, platform independence and economies of scale that cloud computing offers.
One of the reasons for the high frequency of incidents in the Cloud is an over-reliance on Amazon services. It’s possible that many IT departments believe that because data and even applications are in the Cloud that they are safe. This is a plausible stance for companies that have historically outsourced many of their IT responsibilities to shared services companies. Shared services is a model that sees a single company — like Computer Services Corporation (CSC), Witpro or Tata Consulting Services — taking full control of management, support, and configuration of the information services of several organizations. The business model is supposed to provide clients with cost savings through the economies of scale outsourcing agencies offer the market.
As organizations shift IT operations to the Cloud, they have to rely on internal staff that may not have the training and experience once the domain of outsourcers. As a result, the exposures of the Cloud-based databases are self-inflicted, for the most part. According to Threatpost, IT admins that had configured the cloud services for the organizations had overlooked the security options for securing the AWS S3 buckets. Anyone with credentials to view AWS S3 data was able to view any of the records.
IT departments had simply not locked up the storage units in Amazon’s cloud facilities.
It’s not clear if hackers had discovered the oversight and pilfered data from any of the databases, though. However, Rhino Labs tested 10,000 AWS S3 buckets and found 107 S3 buckets (1.1 percent) were misconfigured, according to Threatpost. Skyhigh Networks, a cybersecurity firm, found seven percent of all S3 buckets have unrestricted public access, while 35% are simply unencrypted.
While it’s always easy for organizations to look to external threats to their data, the greatest vulnerability to operations is most often the lack of training and oversight of employees within businesses — both non-technical and IT staff alike. Additionally, companies can proactively take several steps to avoid compromising their cloud presence.
Cybersecurity Best Practices
Organizations that have placed their data in the Cloud can use a combination of tools and administrative best practices to protect their online accounts, including:
- Do not use the administrative panel for mundane tasks;
- Restrict access to key accounts;
- Use tools that have just come out on the market to secure Cloud buckets;
- Introduce greater structure into ad hoc DevOps practices.
Administrative Panels – Redlock estimated that 73 percent of organizations’ IT management are using the root user account in the S3 administrative panel to perform a variety of activities. Amazon and cybersecurity professionals warn that the habit goes against best practices.
Key Accounts – Instead, companies should be locking away keys to root user accounts. Also, companies should not be using root accounts on a day-by-day basis. IT management needs also to enforce multi-factor authentication on all privileged user accounts. Some companies may consider the periodic rotation of access to keys, especially for accounts that support sensitive data.
Cloud Management tools – Cloud Security Access Broker (CASB) is a class of tools and services that sandwiched between an organization’s in-house infrastructure and a cloud provider’s infrastructure to enforce the organization’s security policies.
Cloud Monitoring Tools – Companies running AWS need to run AWS Trusted Advisor, a tool that Amazon made free to all AWS users in February 2018. The tool “… identifies S3 buckets that are publicly accessible due to ACLs [Access Control Lists] or policies that allow read/write access for any user,” according to Amazon. ACLs enable S3 administrators to manage access to buckets and objects in AWS.
Restructuring DevOps – Whether running AWS or any of the other Cloud services, companies that are writing their own business applications need to integrate cybersecurity into their DevOps practices. DevOps practices a rapid prototyping approach to software development that can often mean that development and operational environments can become confused. The blurred line between data that is supposed to be for testing and that for real-world use can mean that development teams unwittingly expose vital information to the public.
While the tools and environments entrusted to organizations have become more powerful and flexible, the security measures protecting corporate data need to be considered paramount. Without precautions, companies may not only suffer data loss, but financial and reputational as well. Coranet can provide IT audits, implementation and remediation services. We partner with the best in the business to ensure the highest level of service, which is why some of the municipalities and corporations in the world trust us with their networks and security.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, Wireless/Copper Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information