Accenture recently confirmed it inadvertently left private data exposed across four unsecured cloud servers. This is just one of several recent instances of unprotected data in the cloud.
Details of the Accenture Incident
In the case of Accenture, highly sensitive passwords and secret decryption keys were available to download without a password by anyone who knew the servers’ web addresses.
Accenture’s servers were hosted on Amazon’s S3 storage service and contained hundreds of gigabytes of data for the company’s enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100. The unprotected data was detected by UpGuard who commented that a threat actor accessing this data “could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”
Accenture reported to ZDNet that they “closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system.”
Other Incidents of Lax Cloud Protection
Accenture isn’t the only organization to be in the news recently regarding security of their cloud data.
ZDNet recently reported about an Israeli technology company who exposed millions of Verizon customer records by storing this data on an unprotected Amazon S3 storage server. Verizon said it was investigating how its customer data was improperly stored on the AWS server as “part of an authorized and ongoing project” to improve its customer service. Verizon said the vendor’s employee incorrectly set their AWS storage to allow external access.
Personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC). The data repository, an AWS S3 bucket, lacked any protection against access.
Why is This Cloud Data Unprotected?
The very ease with which almost anyone in an organization can setup storage in the cloud is a big reason why security could be lax. There is a real potential that cloud storage setup is not receiving the same scrutiny and process control as on-premise applications.
Satya Gupta, Co-Founder and CTO at Virsec, noted:
“It’s astonishing how many security-conscious organizations seem to lack basic security controls for cloud servers. There’s a reason that most users can’t unilaterally setup their own servers in a corporate data center – they need to be secured, managed, and governed. But almost anyone can setup a server in Amazon, Azure or other cloud servers, and expose sensitive data. The cloud can provide robust infrastructure, but the responsibility for securing data and sensitive apps still rests squarely with the organization.”
In addition to the ease of setup, many organizations are using several cloud providers, further complicating data protection. A recent report from SolarWinds found that 69% of responding IT professionals said their organizations use up to three cloud provider environments. So, the organization must undertake the responsibility of reviewing cloud service-level agreements for multiple providers.
A security expert noted that some organizations have set up public access for the Amazon S3 buckets.
“And this is the worrying point – the buckets have been configured to allow public access. The default public permissions when creating a bucket are “Do not grant public read access to this bucket” – helpfully accompanied with “Recommended” in brackets. Someone has chosen to change the permissions and it’s tough to explain this away as an accident.”
Amazon offers security options to control access to buckets, including restricting access to specific IP addresses or HTTP referrer and requiring multi-factor authentication (MFA).
As in the Verizon and RNC cases, third parties such as vendors often have access to an organization’s data and may have less rigorous controls and processes in place around data protection.
Insider threats are another potential security risk within cloud environments as well. The Cloud Security Alliance lists malicious insiders as one of their top 12 cloud computing threats, stating “in a cloud scenario, a hellbent insider can destroy whole infrastructures or manipulate data.”
To mitigate against the possibility of insider threats, organizations should employ threat detection software that actively listens for suspicious activity such as file transfers, privileged user actions, and website and email monitoring.