Is it really that hard to keep from making a security idiot of yourself?
When I hear people worrying about cloud security, they’re usually shaking in their boots about some obscure bug beyond their control. Ha! Ordinary, stupid human mistakes are more than bad enough.
For example, Accenture left hundreds of gigabytes of private user and corporate data on four unsecured Amazon Web Services (AWS) S3 cloud servers. The data included passwords and decryption keys. What did you need to dig into this treasure trove? The servers’ web addresses.
That’s all. No user ID, no password, no nothing.
Adding insult to injury, according to Chris Vickery, director of cyber-risk research at security firm UpGuard, Accenture’s revealed data included its AWS Key Management System (KMS) master keys. With those, an attacker could have also taken control of all the company’s encrypted AWS data.
Can you say, “Bad?” I knew you could.
So repeat after me: “I will give every public-facing cloud resource under my control a user ID and a password.”
It’s not so hard, right? But way too many companies aren’t getting even that much right.
According to a survey from RedLock, a public cloud security company, “53% of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had inadvertently exposed one or more such services to the public.”
Worse still, “it appears that this is trending upwards despite growing awareness about the risks of misconfigurations; earlier in May this number was 40%.”
This is preposterous. Have we forgotten everything we ever learned in Security 101? Or, perhaps I should ask, “Did we ever really know how to secure services and data?”
I’m beginning to believe we didn’t. Our half-assed security methods may have worked when we weren’t putting our resources on the cloud or in internet-facing services. But our mistakes are no longer hidden within our data center; they’re out in the world for anyone to see — and hack.
I’m looking at you, Equifax. Thanks to your total lack of security and system administration sense, Social Security numbers, our default U.S. national ID number, have been rendered worthless.
One thing that hasn’t been mentioned much in the Equifax fiasco is that the company also hadn’t encrypted its data. Is your cloud data encrypted? According to the Redlock study, “64% of databases in the public cloud are not encrypted.”
Oh, come on, people! Encrypt your data already. Make it a little harder for thieves to ransack it, please!
OK, so Accenture, a, quote, leading global professional services company, end quote, was full of idiots. And Equifax will go down in the history books for allowing one of the all-time worst security failures. But your company’s fine. Right? Right!?
Do yourself a favor. Run a basic security audit. Keep in mind, as Accenture didn’t, that AWS, Google Compute, Microsoft Azure and all the other major public cloud players provide you with infrastructure as a service, not security as a service. Ultimately, it’s up to you to secure your data, not your cloud provider.