Amazon S3 Buckets: Unsecured Exposure of Cloud Data
As the leader of your company the last thing you want to be blamed for is the unsecured exposure of data. However with continued advances in technology, these stories of data breaches and data exposure to malicious actors seems to be becoming more and more of a daily routine. Amazon’s S3 simple storage service had become one of the latest technologies to encounter significant security problems. Expert and cyber security blogger Troy Hunt in his interview with IT Security Central talked heavily about the subject. We’ve organized top facts and relatable links to help you build a better understanding of this S3 storage service.
What is Amazon’s S3 Simple Storage?
Amazon describes its technology as “a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web.” Essentially, it’s a cloud-based web storage application. As a company looking for cloud-based storage, you might be already using this service to store your information. The software focuses on simplicity by storing data in “buckets”. These “buckets” are the main storage unit of the S3 Simple Storage. The storage service offers extensive ability and accessibility.
Where is the security problem?
When we try to narrow down the cause and problem of S3 Simple Storage breaches, we need to go all the way back to the end user. The company employees are the root cause of these storage bucket data loss, and it boils down to they’re not securing the cloud. Users are given the ability to choose how to protect each storage unit on the cloud, choosing to make it “reading” or “reading/writing” accessible. The buckets are secured by default; however, the end user is given the power to choose the accessibility of the information. This is a lot of power to the end-user, and it has many security experts concerned. Human error is at the core of the insecurity of this cloud software.
Further, S3 buckets allow the account owner to view the contents of the cloud, but the bucket can be easily configured to grant world access to the bucket. As this seems to be an easy switch, many companies are running into the problem of data being granted “world access” when it was not meant to be made public. It’s important to remember that these data breaches are due to misconfiguration and not the software itself.
Many companies are starting to see the disadvantages of putting an extensive amount of power in the end user’s grasp. Large corporations like World Wrestling Entertainment encountered a S3 bucket misconfiguration exposing the personal data of three million fans. Furthermore, Verizon announced that a bad set-up bucket left the exposure of between six and 14 million customer data. We can’t forget Alteryx’s failed data protection of more than 123 million US households due to putting a database in plainview.
Amazon has addressed this issue of their S3 bucket software stating:
“We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend.”
Because of human negligence, many companies seem to be offering their data to malicious criminals on a silver platter.
Top Posts in Data Security
If you’re using the Amazon S3 data storage, it’s time to take a step back and review your security situation. Once understanding the human negligence factor and the easy exposure of cloud data, companies can start devising strategies to eliminate this vulnerability. Here are a few things to consider:
- Make sure to thoroughly access your data storage to make sure the number of user privileges is limited in the S3’s Access Control Lists.
- Many security breaches of the cloud come from third-party vendors. Vendors typically have less rigorous security policies, and if access is granted, they have control. It’s important to understand everyone that has admin control of your company data, and you can begin by asking yourself these important questions.
- Understand the insider threat. Who has accessed and what is being accessed needs to be controlled by company management. If a insider tries with malicious intent to sell company data, that process is granted much ease when the cloud is already granted access to all employees.
- Using monitoring software. Monitoring gives the admin a thorough understanding of access and can “set alerts” when breaches in data occur. Monitoring and tracking is one of the best options for cloud security.
You can read more about how to protect Amazon S3 data storage in this TechTarget article.