Having your head in the clouds may not be best for your business: what about your data in the cloud?
Cloud computing has enormously increased business efficiency. By minimizing the requirement for physical storage space, conveniences of cloud technology are the gift that keeps on giving.
However, with conveniences comes cloud data breaches, a concept with which some businesses are all too familiar.
This article will discuss how you can best prevent data breaches with cloud security and analyze real-life cloud breach examples.
What Are Cloud Data Breaches?
Like any other data breach, they are a security failure that resulted in the accidental or purposeful loss of data (i.e., through theft). Except, in this case, the breach occurred over the cloud network.
As far as breaches go, they are relatively unique as it involves many responsible parties (as we will see later on).
A cloud network is essentially a “virtual” apartment building. The apartment building is constructed and maintained by a landlord, let’s say Microsoft, and you “rent” a room in that apartment building.
Assuming you are using the virtual space for storage, then we can call that cloud storage space. Many other businesses will be doing the same as you, and they might be your “virtual” storage neighbors.
For this reason, cloud data breaches are unique because a breach that affects the landlord (i.e., Microsoft) will almost certainly affect you. Imagine Microsoft having the master key. If someone steals that key, they can likely open your door and that of your neighbors.
Secure cloud storage has some fail-safes that help contain the breach to a localized area, where only your “keys” are stolen.
Cloud computing is everywhere. Almost every service you engage online, such as web hosting, storage, graphic design services, etc., will use some form of cloud computing (whether it be for data storage or data processing).
Examples of Data Breaches In Cloud Computing
Many businesses have experienced a cloud data breach, with some big-name brands losing out financially in terms of fines and with their shareholders.
Within the same reports, researchers found that most businesses are concerned with the security state of their public cloud infrastructure.
Let’s look at some of the more significant cloud data breaches over the past decade, exhibiting what is wrong for these companies.
Capital One 2019
The tenth-largest bank in the United States, Capital One, suffered a cloud data breach in 2019 and reached a settlement agreement of $80 million in rectification.
The cause of the breach was a cloud firewall configuration vulnerability. Attackers managed to exploit a firewall misconfiguration that allowed them to send commands to the impacted servers.
The result of the breach was around 80 thousand account numbers and 140 thousand Social Security Numbers (SSN), primarily affecting Canadian and American residents.
Amazon Web Services (AWS) provided the cloud hosting services.
Accenture suffered what would be considered an accidental breach of data. An unintentional breach is where an attacker took no direct malicious action against the organization, but the organization still lost data due to negligence.
Unfortunately for Accenture, this accidental breach was taken advantage of by hackers, so what happened?
UpGaurd, a cyber resilience start-up, discovered that Accenture had a couple of AWS cloud storage buckets that Accenture did not protect in one of their audits. Accenture used Amazon’s S3 storage services and held hundreds of gigabytes of sensitive data in storage that was not password protected.
Anyone who knew the storage web address could freely login and download whatever data they wanted, a massive blunder on Accenture’s part.
This compromise could be an easy financing mechanism for attackers (I mean, you should at least get the hackers to work for their money, right?).
Verizon suffered a cloud data breach due to a fault with third-party vendors. Nice Systems, a third-party vendor working for Verizon, committed another configuration faux pas (like others on this list) on an Amazon S3 storage bucket.
Nice Systems’ misconfiguration left customer details, including names, addresses, SSN, account numbers, and PINs, exposed to the public and hackers. The blunder left 6 million US customers in jeopardy of identity theft.
Who Is Responsible For Cloud Data Breaches?
As you might have noticed, AWS was the cloud provider of choice for all three companies in all previous examples.
It begs the question, who is responsible for the cloud data breach? The provider or the company. This is pretty straightforward; in every case so far, the company using the services is responsible for the security (like setting passwords, for example), which is pretty much the case in all circumstances.
However, the responsibility of security is joint. If the breach were to occur on the server-side of, say, AWS, then Amazon would be the party at fault. Ultimately, it is a question of infrastructure.
It is the responsibility of your organization to do its due diligence when it comes to choosing the best provider. The provider must ensure that they are taking all measures to secure their infrastructure, and selecting the wrong provider can backfire.
Although, it is much worse if the cloud provider was breached than a user. Take Microsoft’s April 2019 Azure breach. This breach was on the provider side, meaning all users were open to being hacked.
Compared to the other examples, the difference is that it is not a localized incident where only one user is affected. These types of breaches can affect multiple users housed in the cloud’s ecosystem. It’s like finding the master key for a hotel that opens all the rooms, as discussed in the introduction.
Knowing about cloud data breaches is a good thing, understanding how it has affected another business gives you a leg up. But the best tool at your disposal is best practice cybersecurity cloud architecture.
The security architecture is a combination of your technical and organizational security measures. It manifests as a series of processes that will enhance your overall security posture. Thankfully, many of the principles used in “traditional” cybersecurity (i.e., not cloud security) transfer easily to cloud security.
This section will go over some of the best practice cloud security techniques that your business can start implementing today.
Identity and Access Management
If there is anything we can learn from the examples of cloud breaches given above, it is to get your credentials in order.
Firstly, you will want to password protect your cloud storage buckets. Even when you are not storing sensitive information, it is good practice while promoting a security culture within your organization.
Beyond that, you have Identity and Access Management (IAM). IAM is the disciple of IT infrastructure accounts management; you may even be an IAM practitioner without knowing it (more on that later). Complex information systems will have many users logged in at any time.
Take a university, for example (this applies to any large organization); you have students, teachers, contractors, guests, and IT staff all using the same information system. Students receive login details so they can access their classroom resources and digital library. Teachers have their accounts so they can upload lectures or contact students.
All these accounts will require credentials to access (a username and password in most cases). The IT teams job is to ensure that:
- The people accessing the account are genuine
- The people accessing the account are within the appropriate privilege level.
Ensuring that the access is genuine can be done in several ways. Today’s most popular way is to employ 2-factor or multi-factor authentication, using a second device, passphrase, or randomly generated number to ensure the user is who they say they are.
The second part is a little trickier to get right, and many breaches occurred because of privilege misconfiguration. Essentially, higher privileged accounts can configure more of the information system than lower privileged ones.
They can execute programs, install software, or make organizational changes. If we look back at the university example, a student account will be limited in what they can do inside the system in most cases.
They might be able to execute programs already installed to aid in their research. They can open the internet browser and send emails. Giving any more power beyond that may jeopardize the information system.
On the other hand, teachers may have more access controls (which might also depend on the department). They might be able to install programs, given permission, or change user access to their classroom (allowing students to join and barring access to the other students).
Finally, we have the IT department, the administrative accounts. They, theoretically, should have the most control over the information system, such as enabling patches, restricting internet access (firewall control), or blocking users entirely.
In terms of data breaches, a breached admin account could spell disaster for your organization. For this reason, IAM is an essential tool in cloud security. You should ensure that non-technically inclined employees are not given too much power within the information system.
It is a balancing act between giving enough access to carry out tasks efficiently and your organization’s overall security.
As part of the IAM package, you also need to consider password management as a tool in cloud security. Password management could be regarded as a branch of IAM but still needs to be managed separately.
Essentially, password management is creating a company policy that regulates the kind of passwords that are accepted and the password retention time frame. A password retention timeframe stipulates how long an employee is allowed to keep a password.
There is no one correct answer here, but your organization should have a regular password turnover. Consider tri-monthly or every six months, depending on the kind of data employees process annually may be too long.
The second part of password management is ensuring the password are strong. Strong in this case means as close to impossible to crack as is feasible. No password is uncrackable, but some will take centuries to breach.
Some common password policies that you will see used are:
- No dictionary words allowed
- At least one uppercase, one number, and one special character
- No words that have any relation to you specifically, family names, etc
Many online service providers with a login portal (like social media) will ask individual users to adhere to the second rule.
Use SIEM To Monitor User Activity
The final at-home remedy you can employ today is to get yourself a Security Incident and Event Management (SIEM) program.
A SIEM is your best friend in detecting potential breaches. We have a wealth of resources on our blog discussing SIEM, so please browse for more information. In brief, a SIEM is a detection program that can help you find, flag, and analyze certain security-related events on your information system.
It will calibrate to your information system’s typical behavior and alert you if it finds suspicious behavior. It will then be up to you to analyze whether the event is of concern or not.
However, a SIEM is not for the inexperienced; it is best paired with a team who knows what they are doing, which brings us to our final point.
Partner With An Managed Security Service Provider (MSSP)
Cybersecurity is a task that scales with the business. The larger your organization grows, the more protection it requires. Cloud data security is a small portion of your overall cybersecurity posture.
It is easy to fall behind on your security needs if you don’t take a holistic approach to security. Applying best practice models takes dedication and effort.
An MSSP is your road to cybersecurity best practice. They will take your security responsibilities and turn them into an asset for your organization.