With a spate of Amazon S3 data repository breaches making the news recently, we look at why this is and what companies need to do to protect themselves now and into the future, particularly as the European General Data Protection Regulation becomes enforceable next year.
You need only put the phrase ‘Amazon S3 data breach’ into Google’s search engine and see the masses of news resulting from these unfortunate incidents. Two of the most recent include a patient home monitoring company who uses the Amazon cloud to store patient data and tech company Accenture that supports many of the world’s top companies.
In the first instance, Kromtech Security Center researchers came across nearly 50GB worth of unsecured data containing personal details of patients on an Amazon S3 bucket. The second concerning Accenture could have been a potentially huge disaster for the company if not for a researcher who surreptitiously pointed out the gaff, which was then promptly fixed. It involved four Accenture servers being hosted on Amazon’s S3 storage service – data stored on these servers included private signing keys and plaintext passwords. For those in the business: the literal keys to „Accenture’s kingdom.“
As stories like these are becoming mainstream, companies need to know that first and foremost, encrypting the data is of vital importance, but only if the encryption keys are stored separately from that data. This cannot be stressed enough. In order to completely and comprehensively meet compliance requirements, such as those laid out in the forthcoming EU General Data Protection Regulation (GDPR), the organization as the data controller must keep this control over their own data – and not leave it up to the cloud provider.
This is an exemplification of security by separation – you simply do not store your keys to the kingdom on the cloud service where your most sensitive data also resides. It’s like leaving your keys and wallet in your brand-new car with the engine running, allowing any opportunist to walk up and drive away with all your things. Authorities are going to have very little sympathy for someone who does that, just as regulators are going to have to consider the circumstances when issuing data breach fines.
Companies using the Amazon cloud service for data storage cannot afford to bury their heads in the sand any longer, assuming security is a given. In fact, it’s quite the opposite – Amazon S3 buckets can easily be set to "public by default" - and this setting can easily be forgotten. Companies should frequently review such settings and ensure that basic configuration settings are not unintentionally or carelessly altered. Then, take it further: encrypt the data and keep the keys close to the chest, and away from the cloud.