April has certainly come in like a lion with two high profile data breaches. The first was from Zoom where customer videos were exposed to the internet. The second was from Digital Wallet app Key Ring, where ~14 million users' information, including PII, was exposed to the Internet. In both cases, the cause of the data breach was due to a misconfiguration with their AWS S3 buckets that exposed them to the internet. Compounding the issues were poor security practices that, if implemented, could have significantly reduced the impact of these misconfigurations.
In this blog, we will explore how these breaches could have been prevented or at the very least, how the impact could have been significantly reduced.
Mistakes are going to be made, that is a fact of life. As more and more companies move to the cloud, one of the common mistakes that we see is storage containers (in this case, S3 buckets), that are misconfigured. Instead of being visible only to their owners, they are exposed to the internet for anyone to find and view. Making matters worse, many times, the data in these exposed buckets contains sensitive (such as PII) information. While this might seem like a relatively simple thing to protect against, we need to examine it in the context of the size and scale of current cloud implementations with hundreds, if not thousands, of data stores across multiple accounts. Adding the speed at which things move, this can be quite complex for organizations to manage. To effectively do so, organizations can no longer rely on manual methods and instead require automation to continuously monitor their data to identify the classifications of data stored in their buckets and ensure that only those who require access are granted it. Furthermore, if and when mistakes are made, they need to be quickly identified and remediated. However, there are often gaps between identification and remediation and thus other layers of protection are required.
Data has become one of the most critical elements to any business. As such, data needs to be protected at all levels. In these two particular breaches, while the misconfiguration itself exposed the data to the internet, the damage caused could have been reduced if the data had been encrypted within the buckets. With encryption in place, the exposed data would have been useless to anyone who found it. Again, while this might seem like a simple problem when it comes to a single bucket. But in reality, it is often very complex in most cloud deployments. Not only does an organization have to know where all of their data is stored, but they also have to know what the data is and the state of that data is sorted in. This is another example of where automation is required to continuously monitor the cloud environments to examine where the data is stored, to determine its state, and alert on any misconfigurations and/or deviations from an organization's information security governance framework. With all this in place, the breaches we see here could have been non-starters. That said, we can still take this a level deeper to ensure even greater levels of security.
There is a third element here. While it is fundamental to understand where your data is stored, what it is and what state it is stored in, to truly protect your data it is of critical importance to understand who/what has access to that data and what they are doing with it. We need to get a full and accurate picture of all the identities in your environment and what they can access. At the same time, we need to get a full and accurate picture of who/what is accessing your data and where it might be going. With this final piece in place, you would have complete visibility to identify and prevent any issues before they become a reality as well as the visibility to remediate any active issues in your environment.
As you can see, operating in the cloud is complex and challenging not only due to the scale of the environments, or the staggering amounts of data, but also due to the speed at which things move. Looking at the most recent data breaches, we see the impact of these challenges in the form of misconfigurations that exposed sensitive data to the internet as well as missed security practices that, if implemented, could have significantly reduced the impact of these misconfigurations. Organizations need to not only put these fundamental practices in place but be able to continuously monitor for, and then effectively manage, misconfigurations and/or deviations. With this in place, we believe these breaches might not have even occurred.
As an example, to highlight a potentially risky configuration we can see from the relationship graph below a data container with sensitive data, where an attached policy enables an anonymous user to gain access if it were accidentally made public. In this case we’d be alerted to this misconfiguration and actions could be taken to mitigate the risk before it becomes a problem.
Companies are already struggling with the first two challenges of managing their data stores and securing the data in them. Getting to the state where you can fully understand who/what can access that data, who/what actually doing this and where the data is going, can feel like a pipe dream. In reality, there are solutions out there that can help you achieve this.
Sonrai Security delivers an enterprise security platform focused on identity and data protection inside AWS, Azure, and Google Cloud. We can show you all the ways data has been accessed in the past and can be accessed in the future. Our platform delivers a complete risk model of all identity and data relationships, including activity and movement across cloud accounts, cloud providers, and third-party data stores.
Sonrai enables you to protect the "crown jewels" by continuously monitoring critical data inside object stores and databases. You can constantly see where your data is and its classification, what has access to your data and from where as well as, what has accessed your data and what has changed.
Watch our on-demand webinar with Dan Woods, Principal Analyst at Early Adopter Research, and Sandy Bird, CTO of Sonrai Security, as they dissect five notorious and distinct types of cloud data breaches, breaking down how each was caused and how they could have been prevented. Learn more about the Anatomy of 5 Notorious Cloud Data Breaches.