Researchers yesterday published the discovery of a serious breach in an open Amazon S3 bucket owned by secure cloud storage provider Data Deposit Box.The leak exposed detailed information about 270,000 private files uploaded by customers through the company’s secure cloud storage service. The database also revealed personally identifiable information (PII) of customers, which could have serious consequences for those affected.
Today, we are still in the early days of cloud infrastructures security and that we are seeing a prevalence of opportunistic, not very sophisticated attacks, such as looking for publicly accessible AWS S3 data buckets. You\’d be amazed to see the data you can find there just by simply scanning low hanging data in cloud infrastructures. And it only takes a couple of API calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security best practices on Azure and AWS it is very simple to get something wrong which unfortunately is the case here.
In a regrettable yet avoidable trend, Data Deposit Box is another example of a company that has failed its customers by failing to undertake proper security measures. Surely, heads will roll within their organization, but it\’s customers that are left with their personal information exposed, resulting in the sting of a privacy violation and the possible lingering pain of identity theft.
In this case, data was left unprotected on AWS S3 storage – something that is 100% avoidable since AWS S3 resources by default now have “block all public access” set and require an explicit override to enable access. This lack of oversight is also a great example of where data-centric security would have kept data secure despite a failure of administrative due diligence. A data-centric security model using technologies like tokenization allows organizations to protect data that is stored anywhere – on-premise or in the cloud – even if unintentional or unauthorized access occurs. Indeed, if this private information had been tokenized, the information and files in the S3 bucket would have been worthless and indecipherable to an attacker. Enterprises need to step up to the plate and take responsibility for the data that they process by ensuring they both follow basic security guidelines from cloud providers and deploy data-centric security to protect data anywhere and everywhere.