Researchers with WizCase have discovered an unsecured Elasticsearch server leaking 25GB of data linked to users of the popular Family Tree Maker software. Among the details leaked to the public-facing internet were email addresses, geolocation data, IP addresses, system user IDs, support messages, and technical details.
As the Family Tree Maker scenario clearly displays, security administrators, need to move beyond reinforcing their perimeter boundaries and access mechanisms. This is not to say that they need to neglect perimeter security. However, no matter how much effort and investment are poured into securing the borders of their data environment, sensitive data inevitably will wind up in the wrong hands—either through intentional intrusion and theft, unintentional distribution, or pure lack of oversight.
Data-centric security addresses the need for security to travel with the data it protects (rather than merely securing the boundaries around that data). Standard encryption-based security is one way to do this, but encryption methods come with sometimes-complicated administrative overhead to manage keys. Also, many encryption algorithms can be easily cracked. Tokenization, on the other hand, is a data-centric security method that replaces sensitive information with innocuous representational tokens. This means that, even if the data falls into the wrong hands, no clear meaning can be derived from the tokens. Sensitive information remains protected, resulting in the inability of threat actors to monopolize on the breach and data theft.
Had this highly sensitive personal data been tokenized in the Family Tree Maker environment, none of it would have had the potential to compromise individual users. This type of preventative helps keep organizations within compliance regulations and helps to avoid other liability-based repercussions.
The reality is that we are going to continue to see these types of configuration errors that result in data loss occurring over and over again; you have to find a way to constantly assess your cloud security posture. Beyond taking an automated approach to enforcement of cloud security and compliance best practices, you really need to emphasize a data-centric approach. Many practitioners are focused so heavily on identity management that they may overlook the need to combine identity, configuration, and data security practices. The organizations that we see having success in preventing these incidents are extremely focused on protecting cloud data at the source. You have to work really hard to know where all the data lives and enforce the right policies.