There’s an alarming trend in IT security breaches lately. IT administrators are posting confidential data to cloud servers where the data has little to no protection from hackers and other unauthorized users.
In June, Deep Root Analytics, a data firm working on behalf of the Republican National Committee (RNC) had inadvertently exposed voting records and demographic data about 198 million Americans. The data had been posted on an AWS server, where it was protected by an easy-to-guess six-character string.
Then, in July, the Swedish government reported a data breach that exposed vast amounts of information about private citizens; infrastructure projects; and even the identities and locations of law enforcement, military intelligence and national security agents. The breach, “a total breakdown” according to Prime Minister Stefan Lofven, was the result of the Swedish Transport Agency and their technology partner, IBM Sweden, doing a poor job of implementing security controls and only a cursory security vetting of employees. Securing the exposed information is expected to take several months.
Also in July, the same security firm that discovered the Deep Root Analytics / RNC Amazon Web Services S3 data breach—announced a security breach at Down Jones & Company, exposing personally identifiable information (PII) to between 2.2 and 4 million subscribers to Dow Jones publications such as Barron’s and The Wall Street Journal. Like the RNC data breach, this breach involved misconfigured permissions for Amazon S3 storage. An administrator set up permissions to allow access by all AWS “Authenticated Users,” which turns out to mean all Internet users who have registered for an AWS account (AWS registration is free and open to the public).
UpGuard, the security firm that discovered the breach (they also discovered the breach at Deep Root Analytics), noted in a blog post: “The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of sensitive information of millions of Dow Jones customers.” Malicious actors could use the data to perpetrate any of a number of attacks using techniques that have been successful in the past.
Perhaps because July has 31 days, security firms figured they could squeeze just one more data breach involving mismanagement of public cloud security controls into the month. Security firm Kromtech discovered an unsecured database exposing personal information belonging to over 3 million World Wrestling Entertainment (WWE) fans. The personal data included home and email addresses, birthdates, ethnicity, earnings, educational background and even age ranges and genders of fans’ children. All this data was available in plain text to anyone who knew the web address. WWE is investigating whether it or an IT partner was to blame for the misconfiguration and subsequent breach of this database as well as another database containing personal information of mostly European WWE fans on another AWS S3 server.
Clearly, a disturbing pattern has emerged this summer: there is an inability among organizations to secure customer PII stored on public cloud storage solutions like AWS. It prompted Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology to comment, "It's unfortunate Amazon doesn't have a 'neighborhood patrol' of sorts for S3 that checks for open buckets with sensitive data - jiggling the locks, checking for apparent misconfigurations - and then takes them offline."
Mitigate the Risk of Process Errors with kiteworks
Given AWS’ market share, they make an easy target, however, AWS isn’t the root of the problem. Instead, it’s the customer or partner administrators managing databases on AWS who need scrutinizing. These administrators have access to a plethora of security controls available on AWS but none of them will work if they’re disabled (read: turned off).
Organizations are going to continue to use public cloud services like Amazon S3. And employees in those organizations, or contractors partnering with those organizations, will continue to work under pressure and extraordinarily tight deadlines, putting themselves at risk of misconfiguring security controls or overlooking security best practices.
For many organizations, particularly those in highly regulated industries, storing data on a multi-tenant public cloud solution is not an option. There is an alternative.
Accellion’s secure content collaboration platform, kiteworks, provides a single, controlled interface that integrates with on-prem and cloud-based content systems so they can access, edit, send and collaborate on confidential files safely. A robust security framework consisting of a hardened VM appliance that can be deployed in a private or hybrid cloud; encryption of content in transit and at rest; encryption key ownership; DLP integration; role-based permissions and many more security features ensure sensitive information is only accessible by authorized users. Organizations are also able to achieve the highest levels of governance with kiteworks by leveraging compliance intelligence capabilities including detailed file activity; auditable logs; and granular policy controls.
With kiteworks, organizations have an added layer of security and governance that protects all content that comes into an organization, is stored within the organization—either on-prem or in the cloud, or leaves the organization.
To learn more about kiteworks and its benefits for cloud security, please contact us.