When organizations decide to move their data to the cloud, many assume that the responsibility for securing that data moves with it, to the cloud provider. On the surface, this assumption isn’t entirely unreasonable. After all, by transferring sensitive information into a third-party environment, a certain degree of control over where it’s stored and how it’s protected is lost. However, in reality this isn’t the case.
For example, Amazon Web Services (AWS) is one of the leading providers of on-demand cloud services, with more than a million customers worldwide. When it comes to data security, AWS, like most providers, operates a Shared Security Responsibility model. This means that it assures certain layers of infrastructure and software security, but the customer is ultimately responsible for how data is used and accessed.
Unlike on-site systems, which have a hierarchical structure and a peripheral network that scrubs and analyses data being transmitted, AWS makes it possible for every instance to communicate with the internet in the event of a misconfiguration or insufficient security settings. The exposed applications structure requires companies to strengthen existing security controls. This includes continuously updating security configurations with sufficient and dynamic patching, strong firewall configurations, proper network security implementations and – most importantly – monitoring of the AWS security settings.
Unfortunately, despite providers like AWS providing ample information about the best practices for cloud security, the volume of AWS-related data leaks continues to grow. The main culprit? Human error on the customer’s end. In fact, Gartner predicts that, by 2020, 95% of cloud security incidents will be the customer’s fault.
In the last few months alone, high profile AWS customers like World Wrestling Entertainment (WWE) and Verizon have exposed the personal information of millions of customers by accidentally misconfiguring their Amazon S3 cloud repositories. These incidents are not anomalies. Four years ago, security firm Rapid7 highlighted the problem in a survey of over 12,000 Amazon S3 buckets. This research found that almost one in six were left accessible to the public, exposing more than 126 billion files – many of which contained sensitive information.
Despite this growing volume of high profile data exposures, the popularity of cloud services shows no sign of slowing down and it’s easy to see why. The efficiencies and cost savings these services offer can’t be ignored. Not only do they make it incredibly easy to spin up new applications and storage instances, they allow organizations to be flexible with their processing power and storage needs. So, as cloud popularity continues to grow, what can be done to make sure data stored in it remains secure?
Many suggest that companies such as AWS can help by making their security services more user-friendly. A recent analysis by security firm Detectify found that AWS tools for assigning access permissions to S3 buckets and their contents are awkward and complex – especially at scale. When the difference between providing full control over a bucket and read-only access is the choice of one drop down menu over another, it’s unsurprising that mistakes are commonplace.