THERE’S A SEEMINGLY never-ending stream of incidents in which data stored in the cloud turns out to have been exposed to the open internet for weeks. Or months. Or years. These leaks aren’t necessarily related to targeted attacks or breaches, but they are dangerous exposures that stem from small setup mistakes. Maybe sensitive information wound up in a cloud repository where it didn’t belong. Or data was stored in the cloud so anyone could access it without authentication controls. Or someone never changed a default password. Now, as part of a broader slew of cloud security announcements, Google Cloud Platforms will offer a potential solution to the chronic problem of misconfigured cloud buckets.
The stakes are high. Data exposures stemming from misconfigurations endanger millions of records, and the gaffes don’t discriminate—any data can end up at risk. In just one memorable incident last year, a political analytics firm called Deep Root accidentally leaked personal information for 198 million United States voters, including names, addresses, and party affiliations.
Partially due to its widespread popularity, many high-profile data exposures—like those at Accenture, WWE, and Booz Allen—stem from misconfigurations in Amazon Web Services’ Simple Storage Service (S3) buckets. But Google’s cloud customers have suffered leaks as well, like misconfigurations that led to leaks in Google Groups. To combat those slips, the platform is adding visibility tools through a new feature, still in alpha testing, called Cloud Security Command Center. The idea is to take stock of all of a customer’s cloud components—big organizations can have a sprawling assortment of cloud infrastructure, apps, and repositories—and offer vulnerability scanning, automated checks for potentially sensitive information, and prompts about assets that are publicly accessible all in one place.
“Users can quickly understand the number of projects they have, what resources are deployed, where sensitive data is located, and how firewall rules are configured,” says Jennifer Lin, director of product management at Google. “Security teams can determine things like whether a cloud storage bucket is open to the internet or contains personally identifiable information.”
Cloud providers ultimately can’t control how customers configure their infrastructure, so new security features increasingly focus on flagging and transparency tools. Cloud Security Command Center should help customers understand the practical implications of their chosen settings—many misconfigurations stem from situations where a bucket or system originally set up only for internal use is later converted to be accessible online. In these situations, settings that didn’t matter initially are suddenly crucial to security, but administrators don’t necessarily remember, or have the resources, to go back and make the appropriate adjustments.