Last fall, a security researcher discovered four Amazon S3 storage buckets with highly sensitive data such as client credentials and a backup database containing 40,000 passwords. Accenture had accidentally set the buckets to allow public access, and all the information was fully exposed. The researcher notified Accenture, and Accenture locked down the data the next day.
Accenture wasn’t alone. Other companies that left their Amazon S3 buckets open to the public included Dow Jones, Verizon, and military intelligence agency INSCOM. The flood of the bad news continued.
In November, Uber disclosed that hackers got their hands on personal information on 57 million users, also stored on Amazon Web Services (AWS), then paid off the hackers and tried to conceal the breach. Then, last month, an Experian client purchased a data set containing information about 120 million US households — and also left the data exposed in a public Amazon S3 bucket.
According to a recent report by RedLock, 53 percent of organizations that use cloud storage services like Amazon S3 have accidentally exposed at least one such service to the public. “We found 250 organizations leaking credentials to their cloud AWS environments,” says Varun Badhwar, CEO and co-founder at RedLock, Inc.
The problem of misconfigured cloud services is much bigger than just AWS, and, as more data and applications move to the cloud, is only getting worse, experts say. When RedLock analyzed more than 5 million resources in customer environments, as well as vulnerabilities in public cloud computing environments, it found that 37 percent of databases were accepting inbound connections directly from the internet — and 7 percent of these databases were already being accessed from suspicious IP addresses. “Databases should never be exposed to the internet,” RedLock reported.
It’s not just databases. Configuration errors can also allow hackers to use enterprise cloud accounts to set up Bitcoin mining operations. Aviva and Gemalto were among the companies hit, according to RedLock research. It’s already a big problem today, Badhwar says. “In 2018, we’re going to see a lot more of this.”
For companies that run entirely in the cloud, the entire business can be at risk. That has some looking for help with monitoring and verifying cloud security configuration. “Resource misconfiguration is a serious threat, especially given the size of our public cloud computing footprint,” says David Tsao, global information security officer at Veeva Systems, Inc., which offers a cloud-based content management system for the life sciences industry. The cloud-based business model is a “huge factor” in the company’s success, he says. The company needed a way to continuously monitor its entire cloud environment, including the resource configurations.