Recently security researchers have discovered a number of misconfigured Amazon AWS S3 storage buckets that may have exposed personal information of millions of people to threat actors.
These incidents include a repository created by an Israeli partner of Verizon Communications with subscriber information on at least 6 million U.S.-based customers of the telecom provider, thousands of resumes of U.S. military and intelligence contractors left unsecured on an Amazon server, data of four million Time Warner Cable customers in the U.S. left exposed by a contractor and at least 2.2 million Dow Jones news customers.
But an Amazon executive says the incidents are the fault of users, not the provider. “I don’t see it as a problem,” Jeffrey Kratz, general manager for Amazon’s public-sector users in Canada, Latin America and the Carribean, said in an interview in Toronto on Monday.
“In S3 and others (Amazon services), data is always protected by default and it is absolutely secure. If the customer uses the default configuration, it’s locked down, its protected. It’s just the account owner and the administrator that has access to it. But we also know customers want the flexibility to change those defaults … That flexibility comes with responsibility.”
Amazon offers a number of online white papers with advice on how to securely set up services, he said, including encouraging customers to encrypt all data uploaded to the cloud. Some Amazon services also include security prompts. For example, anyone using Amazon’s EC2 elastic server cloud services is prompted three times through the setup on creating security policies to prevent a server from being publicly exposed on the broad Internet.
In addition, in August Amazon released a managed security service called Macie customers can subscribe to that can discover, classify, and protect sensitive data found on AWS. Macie “generates fairly sophisticated and detailed alerts when it detects there is a risk for unauthorized access or inadvertent data leaks that are out there,” Katz said. And three years ago the company released CloudTrail, which allows customers to audit access to different operations of AWS, and CloudHSM, allowing infosec pros to manage their own encryption keys using FIPS 140-2 Level 3 validated hardware security modules.
“So our focus is to provide not only our services which are secure by default,” Katz said, but also give application builders freedom to change them.
According to Skyhigh Networks, a cloud access security broker, the average enterprise uses 50 S3 buckets. Of these, it believes seven per cent provide unrestricted public access. In addition 35 per cent of all S3 buckets are unencrypted.
Kratz was in the city appearing on a panel on disruptive technologies at the Toronto Global Forum.
In the interview Kratz also talked about an agreement he signed last week with the 35-member Organization of American States (OAS) promoting Amazon’s services to the public sector, including governments, schools and non-profits, to advance the adoption of cyber security best practices using cloud technologies.
Amazon’s Jeffrey Kratz, left, with OAS Secretary General Almagro signing agreement (Amazon photo)
As part of the promise to share AWS best practices with the public sector, Amazon will extend a pilot project in Argentina and Chile of staging two-day detailed workshops for CISOs or IT managers. That workshop will shortly be offered here, in Ottawa, Vancouver and Toronto.
Another part of the pact is holding separate workshops for Amazon partners how best practices for securely building applications and services for the public and private sector. One workshop will be held shortly in Toronto.
This month Amazon is also adding a cyber security module to its AWS Educate program for universities and colleges. The program provides free content, coursework and free usage of AWS to students and faculty. Thirty Canadian institutes already participate.
“The OAS partnership is more than Webinars and training,” Kratz said. “It’s really geared towards government having the tools and knowledge and insights that 11 and a half years (of Amazon) of doing business in this space has generated, to have the partner community understand as they develop new lines of business, the talent coming out of the educational system while continuing to listen to our customers as we look at what they need as they continue their cloud journey.”
Security is “absolutely” one of the reasons governments hesitate to move workloads to the cloud, Kratz acknowledged. “They’re used to on-premise scenarios. Moving to commercial cloud services, even in-country, takes some learning.”
Another reason is procurement policies that have to deal with cloud service providers cutting prices of their services. And, he added, some “don’t want to be the first one out there.” These reasons are partly why Amazon wanted the OAS agreement.
In an email, Forrester Research security analyst Andras Cser said infosec pros still make a number of mistakes when dealing with the public cloud. These include
–not automating security controls, such as file integrity monitoring, patching, and host-based intrusion detection/prevention;
–not thinking of container security. “Containers are different from the security perspective and require good management of privileged credentials,” he wrote;
–not monitoring workloads using APIs. “AWS is not your legacy data centre.” Cser wrote. “Hackers can set up and run new instances with your corporate data in no time;
–and not being careful with network interconnect. “Legacy technologies and equipment don’t work here. New ways of firewalling traffic into AWS (especially from the Internet) are a must here.”
By coincidence at last week’s infosec conference of the Ontario branch of the Municipal Information Systems Association (MISA), Amazon partner Scalar Decisions gave a presentation on security concerns for cloud computing.
“One thing we see a lot is people trying to come up with a new strategy or new security program or posture when it comes to the cloud,” said Theo van Wyk, the solution provider’s chief security architect. “This is an unnatural act. You have to build this as an extension of your current security programs and platforms. It might be slightly different, but it has to be an extension so that you don’t end up with two separate policies or procedures It has to integrate.”
WORRIED about AWS S3 security? This blog has some tips for users and infosec pros, including never assuming S3 bucket names are invisible or un-guessable. There’s also this guide to securing S3 buckets from Trend Micro.
Sponsor: Micro Focus
Technology’s role in data protection – the missing link in GDPR transformation