What Internal Confidential Data can be Accessed in the Cloud?

Cloud services offer great way to be agile, scale up and down and offer cutting edge services that are being added to and augmented almost on a weekly basis.

But as data migrates to a public cloud service, the sovereignty and protection over some of the data being utilised in the cloud does need a further governance layer.

There have been numerous of recent examples of what is a ‘cloud misconfiguration error’ from organisations such as Dow Jones, Verizon and the US Republican National Committee.

What it has appeared to have happened, courtesy of an independent cybersecurity firm, is that the limitations on what data can be exposed to the public and what should be kept confidential and limited is down to a configuration setting within the administration area.

What is the impact?

BUSINESS REPUTATION!!

The obvious answer is the reputation of your organisation to ensure secure and confidential business is

upheld…

From the recent leaks the following has occurred:

• Dow Jones confirmed the AWS data leak included customer names, email addresses and some partial credit card numbers, but said no full credit cards or account credentials were part of the cloud data leakage. Dow Jones claimed issue affected 2.2 million customers, but it is estimated the number to be “closer to 4 million.”

• Verizon’s partner NICE Systems found that a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded.

• Republican National Committee (RNC)’s data was subject to the largest known data exposure of its kind, due to a misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC) in their efforts to elect Donald Trump. The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust.

“Amazon defaults to provide, and provides, multiple security mechanisms to prevent S3 buckets from being made public accidentally. Right now, it’s very easy to manage within AWS. But if you want to share data with someone outside AWS and you aren’t overly familiar with AWS security, you might be tempted to just make the bucket public,” Rich Mogull, analyst and CEO at Phoenix-based Securosis, told SearchSecurity. “That’s what I assume happened in most or all of these situations — someone needed to share data. They were using AWS, but weren’t familiar with it and didn’t look up the documentation on how to handle this securely. They took the easy way out and made the bucket public.”

What is SCC’s Solution?

What is critical to avoiding this, is a process assessment and understanding the governance and administration policies that are in place.  By understanding this, SCC can provide advice and guidance on how best to protect the data that shouldn’t be customer facing.

Contact SCC today [email protected]