By Sherri Davidoff   /   Sep 12th, 2019

Stopping Cloud Storage Breaches in Their Tracks

Cloud imageCloud storage breaches are becoming all too common, with customers and cloud providers often tussling over who is responsible. Quite often, data in the cloud is publicly exposed because of a simple misconfiguration. Although cloud providers are quick to point the finger at customers, the reality is that some cloud providers offer more effective tools for securing data than others. Both customers and cloud providers share responsibility for preventing cloud storage breaches. Let’s explore the two cloud storage missteps we come across most often, and how you can address these issues.

  1. Misconfiguration Missteps Cause Cloud Storage Breaches

Simple configuration mistakes can cause big problems in the cloud. For example, in the past few years, we have seen a rash of high-profile data exposures that are due to misconfigured Amazon S3 buckets (a popular data repository). All too often, employees upload sensitive data to an Amazon S3 bucket without noticing that it is publicly accessible. Hackers and security professionals alike routinely scan the Internet for these “open” S3 buckets, searching for sensitive data. When found, they may download the data, report it to the media, or both— resulting in costly and embarrassing cloud storage breaches.

The good news is that Amazon has developed several safety mechanisms to reduce your risk. Amazon now offers an automated permission check service which allows you to easily audit the settings on all of your organizations’ buckets, and recently introduced a feature that enables you to block public access to all buckets in your account with the click of a button. Other cloud providers offer similar features to facilitate permissions auditing and inheritance. Ensure your team regularly checks and audits cloud storage permissions, and you can reduce your likelihood of cloud storage breaches.

  1. Lack of Visibility Leads to Leaks

In order to properly secure your data in the cloud, you have to know what type of information you’re storing. However, many organizations are not sure what information they have in the cloud.

According to McAfee, “[lack] of visibility into what data is within cloud applications” is a chief concern for many organizations. Having an accurate cloud data inventory is fundamental. Fortunately, you can take advantage of tools such as Microsoft’s Azure Information Protection or Amazon’s Macie, which can automatically classify and label data in your repositories. That way, you can ensure that sensitive information is appropriately handled and protected.

All too often, employees will upload data to cloud apps that your organization hasn’t sanctioned. Clear policies and regular training are key to reducing the risk of unintended cloud uploads— but it’s wise to supplement with a technical solution, as well. Cloud access security broker (CASB) software is designed to provide visibility into your organization’s cloud usage and enable you to enforce policies automatically. Try using tools such as Amazon’s Macie or one of the tools from eSecurity Planet’s list of top CASB vendors. Knowledge is power, and it can reduce your risks substantially.

Now that we understand two important cloud storage missteps, let’s discuss the seven tips to prevent cloud storage breaches.

  1. Identify all cloud apps in use at your organization.Consider deploying a cloud app security broker (CASB) to help you identify all cloud apps that are in use and enforce your organization’s policies automatically.
  2. Keep track of the data you store in the cloud.Consider deploying automated data classification and protection systems in the cloud to ensure proper handling for each type of data.
  3. Establish a formal “cloud” policythat a) ensures a risk manager or other appropriate person signs off before any new cloud apps are used for your organization’s data and b) provides clear guidelines for your users regarding what data can be uploaded, and what cannot. Make sure to include your cloud policy in regular user awareness training.
  4. Vet all cloud apps carefully before approving them for use. Make sure your cloud provider offers the tools you need to properly secure and audit your data in the cloud. For more details, contact us and request our handy cloud checklist.
  5. Set the *default* permissions for all of your data repositories to PRIVATE, or an equivalently restrictive setting
  6. Regularly audit the configuration settings on your organization’s cloud repositories. Don’t assume that everything is locked down because it would make sense. Trust, but verify.
  7. Check your cloud access logs routinelyto make sure any downloads are appropriate. Whenever possible, configure your cloud app to send logs to your organization’s central repository and alert you if there are any significant changes to the configuration.

Want to make sure your cloud storage repository is secure? Contact us for a cloud security assessment.

About the Author

Sherri Davidoff

Sherri Davidoff is the CEO of LMG Security and the author of “Data Breaches: Crisis and Opportunity.” As a recognized expert in cybersecurity, she has been called a “security badass” by the New York Times. Sherri is a regular instructor at the renowned Black Hat trainings and a faculty member at the Pacific Coast Banking School. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien.” Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and received her degree in Computer Science and Electrical Engineering from MIT.  Her latest book, “Ransomware and Cyber Extortion,” will be published this year.