In the initial years of the public cloud, security was cited as the primary reason not to upload sensitive data or valuable workloads into public environments. It’s safe to say that situation has changed in recent years. In fact, 94 per cent of global organisations use cloud services in some way, shape or form, according to our recent Global Advanced Threat Landscape Report.
The public cloud is now regularly used to support digital transformation initiatives, including high-value data or important assets. For instance, nearly half of the 1000 global organisations surveyed in our report indicated that they are using SaaS-based business critical applications, and a similar percentage use the public cloud for regulated customer data.
In fact, as demonstrated recently, the cloud is also used to store vast amounts of citizens’ data by public sector organisations. During a routine project earlier this month, internet security firm vpnMentor found that the personal data of almost all Ecuador’s approximately 17 million citizens – including 6.7 million children – was exposed on an unsecured server in Miami.
This data leak was made possible by a vulnerability on an unsecured AWS Elasticsearch server. Originally, It was believed that the Ecuadorian government had stored the data on this server itself, but it quickly emerged a few days that a local data analytics company called Novaestrat was responsible for the unsecured server, having left the data exposed in the public cloud without a password, allowing anyone to access the data stored on it.
Aside from the scale, this made front-page news due to the sheer breadth of exposed information. The exposed files contained official government ID numbers, phone numbers, family records, marriage dates, education histories and work records.
Notwithstanding whether they should have had the data or not, the most important lesson for those concerned with the ongoing security of client or citizen data held in the public cloud is that they must possess a clear understanding of who is responsible for securing what.
If your organisation uses the public cloud, for example, do you understand the security controls your chosen cloud provider has in place? Is there clarity about what you may need to do to augment those policies and procedures?
Cloud security: a collective responsibility
Our research indicated that organisations are too heavily reliant on cloud vendors to secure critical data and assets. They must ensure credentials that allow access to these data and assets are as well protected in the cloud as they are in an on-premises environment, particularly given some will be privileged in nature. With attackers specifically seeking to compromise high-value privileged credentials as the most effective way to achieve their goals, it is also concerning that so few organisations have a plan to protect them.
Many public cloud providers provide guidance on their shared responsibility models for security and compliance in cloud environments. This guidance typically outlines a shared responsibility model, in which the provider handles security up to a point and, beyond that, it becomes the responsibility of those using the service. The unfortunate reality, however, is that this guidance often gets ignored, or organisations are not aware of it, and leave cloud security solely to their cloud provider.
In fact, our research indicates that the key benefit that the organisations hope to see from their usage of cloud is the ability to –offload security to the cloud vendor, either completely or in part. Cloud vendors rightly take responsibility for certain aspects of security when companies use their services, but they are very clear about where their clients must step in and assume accountability. Protecting customer data remains the responsibility of the client, and businesses must take note of their responsibility. Right now, three quarters entrust the security of their cloud workloads completely to their cloud vendor, while half this number realise that this will not provide them with broad protection, but continue to do it anyway. It’s abundantly clear, therefore, that the shared security responsibility model is either not well-understood or is being ignored by many organisations.
Don’t pass on privilege
If this wasn’t concerning enough, there is also a widespread lack of awareness about the existence of privileged accounts, secrets and credentials in IaaS and PaaS environments, which is exacerbated by the lack of an appropriate strategy to secure them: Less than half have a privileged security plan for the cloud, according to our study, indicating that they could be placing themselves – and their customers’ data – at significant risk.
Ecuador isn’t the only government to inadvertently expose its citizens’ data through an unsecured cloud server, and in all likelihood probably won’t be the last. A similar Elasticsearch server was found to have exposed the voter records of approximately 14.3 million people in Chile – around 80% of its population – earlier this year
As public sector organisations and government departments increasingly look to the cloud to help them become more agile and better serve their citizens, it’s vital they continue to evolve their cloud security strategies to proactively protect against emerging threats, and reinforce trust among the citizens who rely on their services.