So What Happened?
Just a few days ago, Pegasus Airline experienced a high-magnitude AWS data breach compromising 6.5TB of data. Ultimately, 23 million files were publicly exposed, including sensitive information like flight crew PII, plain text passwords, secret keys, and even source code. The suspected culprit? The infamous S3 bucket.
The breach was discovered by Safety Detectives, a security vendor. It is unknown how long this misconfiguration persisted, but it potentially impacts other airlines who bought the compromised software that hosted the concern from Pegasus. Once notified, Pegasus reportedly took swift action to secure the data.
How could this have happened? Well, unfortunately, while it is a grave mistake, it is a common one that has led to many high profile AWS data breaches. AWS S3 buckets are data stores, often home to business-critical information. These buckets are prone to misconfigurations, like leaving them publicly accessible, or not requiring the proper authentication to access them. It is exactly this type of extremely preventable misconfiguration that becomes the Achilles heel of organizations today.
Why does Sonrai care? Well, aside from building awareness around this very common mistake, we’re here to share that there are solutions created aimed at preventing this exact incident.
The Solution for AWS Data Breaches
Cloud Security Posture Management (CSPM) is a cloud platform security solution class often provided by third party cloud security vendors to ensure that your cloud is configured securely. While AWS does a fantastic job at providing the most secure infrastructure they can, it is ultimately your responsibility to secure everything within your cloud. Leveraging a CSPM tool to monitor your AWS environment ensures it is secure at the most foundational level. The solution works by comparing your environment to a baseline of appropriate configurations and behavior, looking for deviations. The moment a deviation is detected, such as a public-facing AWS S3 bucket, the tool would flag the issue to your teams.
Looking at this Pegasus example – with a mature CSPM tool, the company would have had a ‘best practice’ baseline, including controls like looking for publicly accessible data stores, ensuring data stores require authentication, and that encryption and auditing are enabled and configured correctly. With a CPSM tool, the misconfigured S3 bucket would be caught before any malicious actor (or security vendor) could come across the sensitive information.
Advanced CSPM Solutions for AWS Data Breach
A few things to note: a lot of vendors today provide CSPM solutions including this control checking, but next-generation tools take things a step further. One of the major differences is that a modern CSPM performs continuous monitoring on the data store vs. polling at an interval. This ensures that as soon as a misconfiguration is detected, it can be addressed. In comparison, polling has a time lag that due to the scale of the cloud, could actually fail to detect this misconfiguration all together.
Another major difference of a modern CSPM is how it enables you to correct a misconfiguration at the speed and scale specific to the cloud. Let’s say there is a misconfiguration, like a lack of authentication needed to access flight crew PII, and your legacy CSPM tool detects it and issues a ticket to a queue of security concerns. This ticket will sit at the back of the queue or get lost in a sea of notifications.
What if this alert actually pertains to a group other than the Security team, like the DevOps team, who is responsible for the data store? And what if the misconfiguration is detected overnight on Christmas Eve when the team is on vacation? This is where a critical next-generation component of CSPM tools comes in handy – intelligent workflows and automation. With this integrated capability, a high priority alert can ‘skip to the front of the line’ and go directly to the specific team responsible for fixing it. Additionally, automation can step in and remediate pressing issues to at least mitigate the severity of a security concern.
The Big Picture
Pegasus airlines is far from alone when it comes to being the victim of a data breach from what is a rather basic security misconfiguration. There were countless reported AWS data breaches affecting companies, including Twitch, Twilio, SeniorAdvisor and more in 2021 alone. This is not the first Amazon data breach of 2022, and certainly won’t be the last.
When it comes to pointing out these misconfigurations, shaming or ‘calling out’ the company is never at play. One thing uniting enterprises today is their shared experience in warding off data breaches or malicious attacks.
We speak to cloud practitioners, security teams and CISOs frequently, and know that everyone has the strongest intentions and hopes of being cloud pioneers and steering their business in the right direction. However, a lot of traditional security tools just aren’t cutting it in the new vast world that is the cloud. We are at a turning point in technology history where it is time to add new knowledge to our tool box and adopt new strategies, solutions, and tools to help lock down the most precious asset in the cloud: data.
The job is overwhelming, and we empathize. The first step is recognizing you need help or a change. Leave the rest to us.