Cloud misconfigurations: a surging, but overlooked threat to cloud data security

Enterprises continue to migrate their workloads to the cloud with the promise of lower costs, increased agility and greater flexibility. But cloud migration also brings risks, as misconfigured cloud services are one of the fastest-growing sources of data breaches. The statistics are astounding. Misconfigured cloud databases are attacked 18 times per day and within only hours of coming online. And the latest Verizon Data Breach Investigations Report found more than 40 percent of all error-related breaches involved misconfigurations.

Last year’s massive Capital One breach is an example of the latter to the tune of 100 million exposed customers. At the time, CapitalOne said they “fixed the configuration vulnerability.” But, as it turned out, someone had already stolen the data out of the AWS S3 buckets. And the company now faces an $80 million fine for “failing at security in the cloud.” This incident clearly illustrates that identifying issues only after data is stolen is not the right way to protect data in the cloud.

Understand the complexities of cloud security

While the cloud simplifies many aspects of information infrastructure, especially provisioning, the configuration of security and access controls can be complicated and confusing. In AWS, for example, tools for assigning access permissions to S3 buckets and their content are awkward, complex and still require significant, patient hands-on attention for security issues.

While it is difficult enough to navigate the security complexities of a single cloud service provider (CSP), Gartner research found that 81 percent of organizations surveyed using more than one CSP. As a result, security becomes exponentially more difficult to manage. For example, CSPs have their own native security configurations, dashboard and policies, and swapping between them is not as easy as flipping a switch. This complexity only makes it harder for humans — who can only be proficient in so many systems — to stay on top of security issues.

Although there remains some confusion over who is responsible for security (the company is responsible for security in the cloud; the cloud provider is responsible for security of the cloud), the greater risk is the litany of errors, intentional or otherwise, that can potentially emerge from employees — and increasingly, partners and suppliers — who access a company’s data. Organizations should look at cloud deployment and development processes at an operational level to understand what checks and balances exist to prevent security gaps.

Secure the Data Analytics Pipeline

While most cloud-based infrastructure includes basic cybersecurity protection, it is not enough to stop most hackers because misconfigurations and a lack of access control can still result in a data breach. As companies settle into their new cloud-based realities, they will soon realize the need for a new approach to cloud data protection by securing the data analytics pipeline. This includes:

• Discovery. You can’t protect what you can’t find. After finding data, typically from external sources, attach a policy that will define how to protect and process it. Look for specific formats of data, such as the nine-digital social security style, or credit card numbers, which follow a six or eight-digit issuer identification number.
• Data masking. Creates a one-way transformation by replacing sensitive content with dummy content so should data be compromised. It presents no threat of loss. This practice is common among companies that use cloud infrastructure for test and development, but it will soon be implemented into a more broad security practice at many companies in order to comply with privacy regulations.
• Tokenization. Similar to data masking, data tokenization takes data and replaces it with new, authentic looking data as a decoy. This can fool a rogue access into believing that it is accessing real data but still allows data processing in applications with the correct key.
• Improved encryption techniques. Secure the data at the record level and keep it protected by encrypting it not just at rest but also in use, in memory and in the search index without decrypting the data or breaking applications.

It has been said that data’s nearly endless value makes it “the new oil.” However, some would also assert that data is also the new asbestos: when carelessly handled, it can result in myriad problems that may be difficult to correct. To fully realize data’s potential, organizations should proactively secure data in a manner that reflects their specific needs and challenges and the types of data it stores.

Part of the Baffle weekly webinar series, our webinar “Tokenize Your Data in AWS RDS with AWS KMS” provides an overview of different techniques for cloud data protection.