Another day, another data breach because of poorly configured cloud-based systems. The latest incident, in which up to 6 million customer details for Verizon’s United States customers was exposed, is yet another reminder both the cloud provider and the organization share the responsibility for cloud security.
There is a misconception that the cloud service provider is in charge of securing the cloud environment. That is only half the story. Cloud security providers such as Amazon, Microsoft and Google take care of security for their physical data centers and the server hardware the virtual machines run on, but leave the individual customer in charge of protecting the virtual machines and applications. Cloud providers offer an array of security services and tools to secure customer workloads, but the administrator has to actually implement the necessary defenses. It doesn’t matter what kind of security defenses the cloud provider has in place if the customers don’t protect their own networks, users and applications.
A third-party service provider handled Verizon’s back-office and call center operations and stored all customer call data, which included names, addresses, phone numbers, and account PIN codes of every Verizon customer that called the call center over the past six months, in an Amazon Web Service (AWS) Simple Storage Service (S3) data store. The data collection was meant to help improve customer service experience, but because the S3 bucket was incorrectly configured to allow external access, anyone patient enough to work out the web address would have been able to download the information. Scammers who got their hands on the data would be able to pose as an any Verizon customer on a call and gain access to customer accounts.
This kind of mistake is distressingly common. Recent research by cloud security company RedLock’s Cloud Infrastructure Security team found that 40 percent of organizations have inadvertently exposed at least one public cloud service due to misconfiguration.
Misconfiguration is a serious problem
Verizon is just one of many organizations whose data was exposed on public clouds by mistake. Just a few weeks ago, personal data of over three million wrestling fans were exposed online because the World Wrestling Entertainment (WWE) had an unencrypted database on an AWS S3 instance with no access control or password protection enabled. In June, the Republican National Committee confirmed personal identifiable information of 198 million registered United States voters--accounting for approximately 60 percent of voters--had been stored in plaintext on an open Amazon S3 storage server owned by data analytics firm Deep Root Analytics. Defense contractor Booz Allen Hamilton exposed 60,000 files belonging to the Pentagon, including sensitive files tied to a U.S. military project and half a dozen unencrypted security credentials, by storing the files on a public S3 instance.
Sign up for CIO Asia eNewsletters.