Among all the reports of complex malware and 0-day vulnerabilities, it can be easy to forget that a few wrong clicks from an employee can leak data from millions of individuals. The Republican National Committee, Verizon, and now Dow Jones have learned this lesson the hard way. Dow Jones, the most recent victim of this common error, leaked personal data on 2.2 million customers including email addresses and the final four digits of some credit cards. All three leaks came from exposed data on AWS as a result of misconfigured security settings.
Off Network, Out of Mind?
Earlier in July, Verizon faced a report from a researcher that the sensitive data of six million customers was exposed on the open internet. Customer data in the leak included name, phone number, and account PIN. The leak sourced from the Amazon Web Services (AWS) environment of a Verizon customer service vendor called Nice Systems, highlighting the vulnerabilities of today’s open, decentralized networks.
The Nice Systems data exposure comes at the intersection of two challenges for enterprise security: third-party partners and AWS S3 buckets.
Without active diligence, companies are essentially at the mercy of the security of the weakest link among their external business partners. Target famously suffered their data breach through the network of an HVAC vendor. The average company has a complex digital supply chain, with 1,555 external partners who receive data via cloud services. Verizon reportedly allowed Nice Systems to store their customers’ data in AWS as part of the company’s customer engagement services. In doing so, Verizon relied on Nice Sytems’ security practices to prevent a data leak. Nice Systems claims 85 Fortune 100 companies as its customers, placing it in a category of highly networked “super partners”. Research found 58 vendors are connected to over 50% of enterprises. A breach at these companies has the potential to adversely affect multiple enterprises.
AWS S3 leaks have reappeared in headlines time and time again. When an AWS S3 bucket is configured as open to the public, anyone who finds the link can access the data without any additional hacking. In this case, an employee accidentally set the configuration of the S3 bucket in question to “public.” The report of Nice Systems’ leak suggests the link was easy to guess. Just weeks ago, a Republican National Committee vendor leaked almost 200 million voter records in the same way – through a trusted vendor. Skyhigh’s research on AWS environments in the enterprise has found that 7% of all S3 buckets have unrestricted access, and 35% are unencrypted.
Cloud services like AWS S3 storage servers enable organizations to store massive datasets on a secure platform. Ultimately the actual data on the platform is only as secure as the customer administrators, who are responsible for configuring security settings and monitoring activity with CloudTrail APIs. Companies may have hundreds of S3 buckets and will periodically audit and change configurations. At scale, this process introduces the element of human error. The risk only increases when factoring in additional IaaS services a company may use like Microsoft Azure and Google Cloud Platform.
Securing S3 Buckets and More with a CASB
A cloud access security broker (CASB) is a dedicated security solution that can automate IaaS security audits across multiple instances and IaaS applications. Here are two steps companies can take to prevent these types of AWS data exposures:
- Know where your sensitive data is: Companies use Skyhigh’s CASB to perform DLP across their IaaS services. Customers create DLP policies based on data identifiers, keywords, and structured/unstructured fingerprints to identify where their sensitive data is so they can apply appropriate controls to ensure the security of that data. With this knowledge, you can pinpoint any S3 bucket that contains sensitive data and ensure it is adequately protected. DLP can also be used to monitor S3 buckets that are intentionally configured as public and unencrypted so that if sensitive data is uploaded to the buckets at a later date, the data can be blocked and IT Security can be notified.
- Audit your security configurations in AWS: AWS provides an extensive set of security configuration options for all their services. Companies use Skyhigh’s CASB to monitor over 70 AWS security configuration settings across all AWS instances and flag those that are non-compliant with an enterprise’s ISMS controls and the risk profile of the IaaS deployment. In addition, Skyhigh provides recommendations and in-product remediation platform, so customers can eliminate security loopholes they discover during the audit. Using the audit to identify and eliminate publicly accessible and unencrypted S3 buckets is low hanging fruit for IT Security that may help keep your company name out of the headlines down the road.
If you’d like an audit of the security configurations of your S3 buckets as well of the security configurations of your vendors’ S3 buckets, you can register for our free AWS Audit here.