Yet another high-profile company has exposed data in an unsecured AWS S3 bucket. Over the past year it was Dow Jones and Verizon, now this time it is FedEx, exposing 119,000 scanned documents including passports, driver’s licenses and more. While the S3 bucket in question came from the 2014 FedEx acquisition of Bongo International, it highlights the importance of involving company InfoSec departments in deployments of resources involving any critical data. The ease and agility one can deploy resources in the cloud with has allowed business users with limited technical skills the ability to deploy on their own, without the scrutiny of InfoSec getting in their way.
The issue at hand should not be whether the cloud is secure (it is), but rather fixing the broken processes that allow corporations to bypass the governance of their IT InfoSec team. I see this frequently when visiting clients. Before the cloud, the requirement to purchase equipment and configure into a corporate data center has involved IT departments in the proper configuration and security of those resources. Now with the cloud, IT departments are left out of the loop, either entirely (the shadow IT problem) or to the very end when business deadlines don’t provide sufficient time for proper architecture and security designs to be implemented.
As a Cloud Architect, my conversations typically revolve around the issues of People, Process, and Technology. All the best technology in the world is not going to prevent people from bypassing the process and creating vulnerabilities in the cloud. In the February 2018 print edition of SC Magazine (www.scmagazine.com), Karen Epper Hoffman reports in an article entitled, Cloudy, With a Chance of Breaches, where she cites multiple security experts who all bemoan the security risks of the cloud. Yet they all go on to state that it is the carelessness of people that configure these solutions that lead to such breaches. Cloud vendors have made consuming technology so easy that almost anyone can deploy solutions, even if they don’t understand what vulnerabilities they are creating.
An analogy comes to mind for those of us that are parents: It’s great that technology in cars today provides our kids with lane departure warnings, auto-braking and other safety features. However, what parent would let their child go driving in such a technologically advanced vehicle without first having some lessons? In terms of cloud computing, why do companies expect they don’t need similar lessons about keeping their data safe before driving into the cloud? This is where corporate IT and InfoSec departments can step up and lead. By developing automated, yet secure, deployment vehicles, business users can still be agile yet not expose their corporate data in unsecure architectures.
Need help developing secure automation deployments around cloud security? Learn more about how Anexinet can help you with your cloud strategy and implementation.
And for those of you now worried about your own S3 buckets, Amazon implemented more predominant indicators highlighting if a bucket is publicly accessible or not. It will also highlight which specific permission element is granting the public access to help in any remediation actions.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
|cookielawinfo-checbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.