The cloud may be a valuable computing resource, but it is also a potential security nightmare. Cloud security mishaps have littered the headlines lately, and in most cases, the fault lies with the customer, not the service provider. Companies need to rethink their basic approach to security before making the transition to the cloud.
Consider these security facepalms: Summer 2017 saw Dow Jones reveal the details of 2.2 million customers (security experts say it could be more), simply by misconfiguring an Amazon Web Services™ (AWS®) repository. An unfortunate admin had configured the server so that anyone with an account on the cloud-based service could access subscriber names, customer IDs, and partial credit card numbers.
If 2.2 million isn’t scary enough, how about 198 million? Republican data analytics firm Deep Root exposed that many US voter records were placed on an open S3 storage server by mistake, effectively making them available to the general public. That’s the largest ever known exposure of voter information to date, and a cloud-based security mistake made it possible.
In the rush to take advantage of the cloud, how can companies ensure that eager administrators avoid these security mishaps?
Firstly, you need to understand the most important thing about data security in the cloud: you can outsource the processing and storage of your data, but you can’t outsource responsibility for securing it.
It’s true that the forthcoming General Data Protection Regulations (GDPR) will hold data processors that provide cloud-based services liable for fines in the event of a data breach. Previously, only the data controllers (the companies owning the sensitive data) were liable.
This will leave controllers and processors in intense discussions over where liability begins and ends for each of them. Controllers can get the greatest peace of mind by taking their own measures to secure data, ideally before it even leaves their premises.
To take control of your own security in a cloud environment, you must understand the technology risks and how they may feed into broader business ones. For example, if a cloud breach exposes your data online, what would the impact be to your organization? What reputational and legal damage might it incur, and what might your regulatory liability be?
You should conduct a thorough risk analysis before making cloud computing a strategic part of what you do. Indeed, the GDPR calls for companies to undertake regular privacy impact analyses when embarking on any new form of processing that could be seen as risky to individual rights and freedoms. That includes the right to privacy.
This legally binds you to consider the cloud in terms of risk. Include risk management professionals in your cloud design and deployment project, and make sure that you seek counsel from the legal and compliance teams.
Security mistakes that embarrass companies in the cloud always involve data. To avoid your data being stolen—or simply made public by mistake—you must put it at the center of your thinking. All cybersecurity modelling should revolve around your data. Older thinking focused on securing systems at the perimeter is no longer adequate.
Figure out where your sensitive data is, what level of sensitivity it has, and what security measures are appropriate to protect it in the context of your business risk. Encryption may seem like an obvious choice, but it isn’t always self-evident. When Kromtech discovered three million WWE fans’ personal data publicly available on an S3 server in July this year, it was all stored in plain text. You couldn’t fail harder if you tried.
It wasn’t Amazon® who put the Dow Jones® data publicly online. Rather, it was a Dow Jones admin who chose the wrong permission settings for the AWS S3 data repository that the company was using.
The same goes for NICE Security, an Israeli company that analyzes customer call log files for Verizon® systems and accidentally leaked personal data for up to six million of the telco’s customers online. The company misconfigured an S3 server setting, experts revealed.
These problems occur because admins and developers making the move to cloud-based environments don’t always understand the technologies involved. A small misconfiguration can lead to big consequences. Add to this the fact that some products have shipped without security settings turned on by default in the past, and it’s a recipe for disaster.
Take the time to train your techs in the cloud tools they’re using. Even better, use automation software or scripts to enforce basic security measures when deploying to the cloud. That will help to decrease human error.
The more powerful our tools become, the more careful we must be with them. Sending data up to the cloud without proper security is like using a circular saw without a blade guard. It may get the job done, but you could do permanent damage in the process. By adopting a security-first approach, you’ll make yourself—and your customers—far safer.
Danny Bradbury has been a technology journalist since 1989. He writes for titles including the Guardian newspaper and Canada’s National Post®. Danny specialises in areas including cybersecurity and cryptocurrency. He authors the About Bitcoin website, and also writes a regular blog on technology for children called Kids Tech News. You can follow Danny on Twitter® at @DannyBradbury
Click here to find out more about how SolarWinds MSP can help you analyze the data risks within your business.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.