everythingpossible - Fotolia
This summer's breach of 106 million Capital One credit card applications stored on AWS renewed the spotlight on cloud security. The hacker, a former Amazon system engineer, allegedly took advantage of a misconfigured firewall to steal the data, which included names, addresses and Social Security numbers.
This public cloud security attack, according to various sources, was something called a server side request forgery (SSRF), in which servers are conned into running commands they ordinarily shouldn't be allowed to perform. SSRF attacks are of particular concern to companies using public cloud providers, and it's far from clear whether providers are taking the steps necessary to stop these probes from occurring.
Businesses large and small are aware of insider threats. In recent years, data loss prevention and features designed to protect systems against exfiltration -- data going out from within -- have become commonplace in many security systems marketed to businesses.
For cloud services like AWS, though, it is more like The Wizard of Oz, where we trust the wizards behind the curtain. It is essential that managers take the time to understand their providers' public cloud security policies. Here are some of the top areas to examine:
- Data storage location: One question involves finding out where your data is stored. European privacy laws that went into effect in 2018 elevated this topic to the top of the list, and as a result, getting this information is usually fairly easy. Depending upon the country where your data is stored, your rights and your cloud vendors' responsibilities will vary.
- Data encryption: Now that you know where your data is being stored, how secure is it? Find out if your data is encrypted, and if so, who has the key? One prominent cloud backup vendor, for example, relies on a default encryption system based on the user's ID and password. The answers are acceptable, but they beg the question about who has access to that information. Most vendors will let you pick your own encryption key. While that approach is certainly more secure, if you lose your key, your data will be inaccessible because your cloud vendor won't have the key in its possession.
Four ways to guard your public cloud data
- Find out where your data is stored.
- Know whether your data is encrypted and who has the key.
- Demand more information about who at the cloud vendor can access your data.
- At end of life or after an upgrade, make sure your data is scrubbed before it leaves the secure cloud environment.
- Data access: In the Capital One incident, the bank didn't even realize its data had been accessed until an ethical hacker let officials know. Unlike physical theft, data theft often remains invisible in its immediate aftermath. But the impact is far from invisible. Capital One faces remediation costs that could range from $100 million to $500 million, according to one Morgan Stanley analyst. It is incumbent upon big cloud customers to demand more information about who in the cloud vendor's organization can access your data. Is it restricted to certain people? What about subcontractors? Do they have access to your data or account information?
- Data disposition, end of life: One of the benefits of migrating to the cloud is that providers are the ones worrying about upgrading hardware. But, after an upgrade, what happens to the old disk that was full of your possibly unencrypted data? Does it go to the disk old-age home or into the briefcase of the tech who removed it? Wherever it goes, you want to be sure your data is scrubbed before it leaves the presumably secure cloud environment. Ask your vendor about its policy, and hope it has a policy. Similarly, if you decide to discontinue your cloud storage subscription, what happens to your data? Historically, OS delete functions are supremely insecure. By default, they only delete directory pointers and not the data. It would take much longer to overwrite data with zeros. So, find out what your cloud vendor does to make sure your data is truly deleted if and when you decide to terminate your subscription.
Recent breaches remind us we can't simply assume that providers have a sufficient public cloud security framework in place. Just as with data residing on premises, data stored off-site by cloud providers must be protected by formal policies and procedures. Cloud vendors might not want you to ask the tough questions, but your company will be glad you did.