Private Data on Public Clouds
Low Hanging Cloud Leaks Reign Over Data Privacy Fears
Wrestling fans. Voters in Chicago. Military veterans. Over the past four months, members of these groups have all had their personal information exposed. Characterized as “cloud leaks”, this post will look to better understand what can be done to secure private data on public clouds.
“53% of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had inadvertently exposed one or more such services to the public.”
— RedLock Cloud Infrastructure Security Trends (October 2017 Edition)
Amazon’s Simple Storage Service (S3) has trivialized data storage in the cloud. Consequently, this has led to trivial data handling, which has put the reputations of enterprises and their customers’ sensitive data in jeopardy!
S3 is an object storage service that greatly simplifies the storage of data and its corresponding metadata into “buckets”. Over the past four months, it has become commonplace to read about the exploits of those who exposed their private buckets to the public.
By default, all Amazon S3 resources are private as only the AWS account that created the resource can access them; however, this hasn’t prevented the following twelve incidents from occurring over the past four months:
- July — WWE customer data leaked https://mackeepersecurity.com/post/world-wrestling-entertainment-leaks-3-million-emails
- July — Dow Jones customer records leaked https://www.upguard.com/breaches/cloud-leak-dow-jones
- July — Republican National Committee records leaked via Deep Root Analaytics https://www.upguard.com/breaches/the-rnc-files
- July — Verizon customer records leaked via third-party vendor https://www.upguard.com/breaches/verizon-cloud-leak
- August — Highly sensitive military data leaked via Booz Allen Hamilton https://www.upguard.com/breaches/spy-games
- August — Chicago voting records leaked https://www.upguard.com/breaches/cloud-leak-chicago-voters
- September — Resumes of military veterans with “Top Secret” US government security clearance leaked https://www.upguard.com/breaches/cloud-leak-tigerswan
- September — Verizon’s Distributed Vision Services data leaked https://mackeepersecurity.com/post/verizon-wireless-employee-exposed-confidential-data-online
- September — Stolen Vehicle Records data leaked https://mackeepersecurity.com/post/auto-tracking-company-leaks-hundreds-of-thousands-of-records-online
- October — Blood test results leaked https://mackeepersecurity.com/post/patient-home-monitoring-service-leaks-private-medical-data-online
- October — Viacom’s secret cloud keys leaked https://www.upguard.com/breaches/cloud-leak-viacom
- October — Accenture Cloud Platform data leak https://www.upguard.com/breaches/cloud-leak-accenture
How can we ensure that our S3 buckets don’t spill out onto the headlines?
1. Understand the AWS Shared Responsibility Model.
Under the AWS Shared Responsibility Model, AWS is responsible for protecting the infrastructure offered by the AWS Cloud. Infrastructure as a Service (IaaS) offerings, like S3, require you to perform all of the necessary security configuration and management tasks. When you read a headline that talks about an S3 leak, understand that the culprit responsible for the event is the AWS Customer — and not the AWS Cloud.
2. For sensitive data, configure your buckets to be PRIVATE. Period.
3. Follow the Principle of Least Privilege
Grant only those privileges which are essential for users to complete their work. While many users may require Create/Read/Update/Delete (CRUD) access to buckets, very few need access to manipulate bucket policies.
4. Encrypt your data in motion.
“ 51% of the network traffic in public cloud infrastructure environments is still occurring on port 80, the default web port that receives clear (unencrypted) traffic.”
— RedLock Cloud Infrastructure Security Trends (May 2017 Edition)
Use HTTPS everywhere.
5. Encrypt your data at rest.
“ 7% of all S3 buckets have unrestricted access, and 35% are unencrypted.”
— Skyhigh Networks
Not only is it important to encrypt data in transit, it’s also important to encrypt data when data is not moving.
Data comes in all shapes and sizes. Every sensitive piece of data should be encrypted. This refers to documents and images, but also historical backup files. Too often, backup files are omitted as they are not in active use; however, when compromised, unencrypted backup files can result in the loss of intellectual property.
6. Leverage the power of machine learning to discover, classify, and protect sensitive data.
While attending this year’s AWS Summit New York, I was introduced to Amazon Macie. Macie represents the intersection of machine learning and data security. Below is an abbreviated list of the capabilities afforded to us by Macie related to data discovery, classification, and S3 data security:
- New data in your AWS environment is continuously monitored
- Artificial Intelligence (AI) is used to derive patterns based on historical data
- Natural Language Processing (NLP) is used to understand human language in data
- Identification of Protected Health Information (PHI), Personally Identifiable Information (PII), regulatory documents, and security keys
- Detection and notification of large business-critical documents being shared
7. Automate the creation of S3 Buckets.
Manual configuration of S3 buckets was at the heart of most cloud leaks mentioned above. To mitigate this risk, use CloudFormation to create and manage S3 buckets in an orderly and predictable manner.
8. Enable and Monitor your Logs.
Enabling logging for your S3 buckets, via CloudTrail or S3 Server Access Logging, can yield valuable tracking data to determine what actions are being performed against your S3 buckets. It is your responsibility to monitor the output of these logs.
9. Run AWS Trusted Advisor.
If you have an AWS Business or Enterprise support plan, you can use Trusted Advisor — an online resource created by AWS. With Trusted Advisor, you can check permissions on all of your buckets and receive immediate notification of those with open access permissions.
10. Use an open source tool.
Kromtech’s S3 Inspector is available free of charge on GitHub, https://github.com/kromtech/s3-inspector, and can be used to check all of your buckets for public access and report back with security threat findings.
11. Use more than one AWS account.
One pattern to enforce segregation of duties is the AWS Bastion account. For instance, Coinbase has applied this pattern and defines it as follows…
“A bastion account stores only IAM resources providing a central, isolated account. Users in the bastion account can access the resources in other accounts by assuming IAM roles into those accounts. These roles are setup to trust the bastion account to manage who is allowed to assume them and under what conditions they can be assumed, e.g. using temporary credentials with MFA.”
12. Follow Best Practices
When in doubt, follow well understood best practices, such as:
- CIS AWS Foundations Benchmark — a set of security configuration best practices for AWS
- PCI DSS Compliance (cardholder data specific)
These dozen measures will prevent data leaks from springing. Thereby, protecting your sensitive data from falling into the wrong hands.
Cloud storage protection can be accomplished with little effort and have maximum impact. Once you have closed this vulnerability, you can focus on safeguarding against modern security threats:
- Ransomware. WannaCry took advantage of out of date Windows machines or those who disabled automatic security updates. By default, AWS blocks access to Windows SMB Server ports. Once again, it is your responsibility to follow security best practices— https://aws.amazon.com/security/security-bulletins/AWS-2017-006/
- Administrator accounts behind single factor authentication are vulnerable. Implement Two-Factor Authentication (2FA) at a minimum, preferably with a Time-based One-Time Password (TOTP) like Google Authenticator (Deloitte) — https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/
- Exposed cloud infrastructures will be used to mine cryptocurrencies.— https://www.theregister.co.uk/2017/10/17/cryptocoin_miners_turning_up_on_unprotected_cloud_instances/
- Patch your software with critical bug fixes. (Equifax) — https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
- Big data creates a large target. (Yahoo…3 BILLION accounts breached!) — http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html
Irresponsible cloud configurations cause most S3 “cloud leaks”. As evidenced in this post, proactive, preventive, and prescriptive actions can elevate your focus from low hanging fruit to highly complex security threats.
Update: Two days after this post went live, AWS announced five new S3 encryption & security features:
- Default Encryption
- Permission Checks
- Cross-Region Replication ACL Overwrite
- Cross-Region Replication with KMS
- Detailed Inventory Report
Check out Jeff Barr’s post for the details — https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/