Identity & data complexity is a ticking time bomb in your cloud. There are tens of thousands of pieces of compute, thousands of roles, and a dizzying array of interdependencies and inheritances that your teams must identify, classify, remediate, manage and audit. This all has to be done at the pace of the public cloud. This level of complexity is incredibly difficult to manage without the correct tooling. Even with big teams, big budgets, and big technical expertise, the potential for serious issues exists. Unfortunately, we are reminded of these complexities and risks with the very publicized Capital One data breach, and more recently with the fines that they have had to pay. This is a stark reminder that even the most sophisticated, well staffed and well funded, organizations can face issues with cloud complexity without the proper tooling.
Since March of 2019, we have been reminded of the Capital One Data Breach, a significant hacking incident in which a malicious action exploited a misconfigured open-source web application that Capital One was using as part of its operations hosted in AWS to get unlimited access to very sensitive data. The incident resulted in the access of approximately 100 million credit card applications. A few months later, Capital One was alerted to the situation after the insider bragged about taking the company’s data in online discussion groups. Capital One investigated the incident and corrected the vulnerability promptly. However, despite receiving credit for its customer notification and remediation efforts, the Office of the Comptroller of the Currency (OCC) issued a Consent Order against Capital One Bank including a civil money penalty for $80,000,000 on August 5, 2020.
Identifying risks and mitigating data loss from complex processes, people and systems is not a new concept in the financial industry. Heavily regulated industries, like financial institutions, are expected to have documented inventory of assets and documented processes to identify threats and vulnerabilities continuously. In Capital One’s circumstances, the OCC linked the data breach to problems with Capital One’s cloud migration plan. Back in 2015, Capital One failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. It also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls and effective dispositioning of alerts. It is an apt reminder that processes and procedures should not only focus on the reactive, but also be proactive in mitigating risk before an incident occurs.
All financial institutions have a responsibility to safeguard employee, customer and applicant data. Your organization needs to know at all times where their data is located , who can access the data, and when it is accessed. Your organization should focus attention on managing towards a baseline configuration state and desired state configuration across your environments. You need to monitor, maintain and continuously be aware of your environments’ state of health and compliance to your governance frameworks at all times. However, this can be easier said than done, so it is important to have the right tooling to help you find your security baseline and graph your identity and data relationships.
Audits are expected to review every aspect of the information security program, the environment in which the program runs and the outputs of the program. These audits should report on control deficiencies to decision makers, identify root causes and recommend corrective action for deficiencies. Audits should track the results and the remediation of control deficiencies reported therein along with any additional technical reviews. Capital One’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the institution’s audit committee. Often plans and processes are legal obligations, but the effectiveness of these plans hinges on diligent execution. It is important to view these processes from a ‘living’ perspective and remain vigilant in performing each step in a timely fashion.
Organizations with stronger security culture are expected to generally integrate information security into new initiatives from the outset and throughout the lifecycle of services and applications. Because the board, or designated board committee, should be responsible for overseeing the development, implementation, and maintenance of the institution's information security program and holding senior management accountable for its actions, many organizations have created a Cloud Center of Excellence (CCoE). The CCoE should reasonably understand the business case for information security and the business implications of information security risks; provide management with direction; approve information security plans, policies, and programs; review assessments of the information security program's effectiveness; and, when appropriate, discuss management's recommendations for corrective action. An effective security-driven culture should be prioritized from the top down to demonstrate the importance of the issue. Many organizations have begun to embrace “shifting left” to integrate security into the cloud earlier in the process thus making a stronger security culture within the organization.
Regardless of how developed an organization’s program is or how big the budget maybe, it is always appropriate to take a step back and review the basics of cloud security and ensure your teams have the right tools to manage identities and data. Sonrai Security offers a free cloud security assessment which can help your organization determine if you’re using the right tools in your cloud.