Yet another high-profile company has exposed data in an unsecured AWS S3 bucket. Over the past year it was Dow Jones and Verizon, now this time it is FedEx, exposing 119,000 scanned documents including passports, driver’s licenses and more. While the S3 bucket in question came from the 2014 FedEx acquisition of Bongo International, it highlights the importance of involving company InfoSec departments in deployments of resources involving any critical data. The ease and agility one can deploy resources in the cloud with has allowed business users with limited technical skills the ability to deploy on their own, without the scrutiny of InfoSec getting in their way.
Is the issue that the cloud isn’t secure?
The issue at hand should not be whether the cloud is secure (it is), but rather fixing the broken processes that allow corporations to bypass the governance of their IT InfoSec team. I see this frequently when visiting clients. Before the cloud, the requirement to purchase equipment and configure into a corporate data center has involved IT departments in the proper configuration and security of those resources. Now with the cloud, IT departments are left out of the loop, either entirely (the shadow IT problem) or to the very end when business deadlines don’t provide sufficient time for proper architecture and security designs to be implemented.
Here’s where to start
As a Cloud Architect, my conversations typically revolve around the issues of People, Process, and Technology. All the best technology in the world is not going to prevent people from bypassing the process and creating vulnerabilities in the cloud. In the February 2018 print edition of SC Magazine (www.scmagazine.com), Karen Epper Hoffman reports in an article entitled, Cloudy, With a Chance of Breaches, where she cites multiple security experts who all bemoan the security risks of the cloud. Yet they all go on to state that it is the carelessness of people that configure these solutions that lead to such breaches. Cloud vendors have made consuming technology so easy that almost anyone can deploy solutions, even if they don’t understand what vulnerabilities they are creating.
How to still be agile and reduce exposure
An analogy comes to mind for those of us that are parents: It’s great that technology in cars today provides our kids with lane departure warnings, auto-braking and other safety features. However, what parent would let their child go driving in such a technologically advanced vehicle without first having some lessons? In terms of cloud computing, why do companies expect they don’t need similar lessons about keeping their data safe before driving into the cloud? This is where corporate IT and InfoSec departments can step up and lead. By developing automated, yet secure, deployment vehicles, business users can still be agile yet not expose their corporate data in unsecure architectures.
Need help developing secure automation deployments around cloud security? Learn more about how Anexinet can help you with your cloud strategy and implementation.
And for those of you now worried about your own S3 buckets, Amazon implemented more predominant indicators highlighting if a bucket is publicly accessible or not. It will also highlight which specific permission element is granting the public access to help in any remediation actions.