The misconfiguration of Amazon Web Services' (AWS) S3 (Amazon Simple Storage Service) buckets is a very common yet major error that can lead to the public exposure of large volumes of often highly-sensitive (and sometimes classified) data stored in a virtual environment. This isn’t a hack - it’s an internal IT infrastructure error that can leave data unprotected and available to anyone online.
Most recently, cloud security firm UpGuard reported the unprotected data and software of a Defense Department contractor - a more technical and detailed overview of the documents can be found in their blog post. The software was for a cloud-based intelligence distribution platform known as Red Disk, developed to deliver intel to troops in the field, according to Ars Technica. It was never fully deployed.
While the files couldn't be accessed without connecting to Pentagon systems, the data found on the virtual drive was highly sensitive, some of which was classified and concerning national security. The data also included private keys and hashed passwords for access to distributed intelligence systems that belonged to the federal agency’s third-party contractor's admins, as reported by Threatpost.
While UpGuard claims the immediate solution would be to update the S3 bucket's permission settings to only allow access to authorized admins, they also question how government agencies can keep track of their data security.
But this is clearly not just an issue for the federal government - as other exposures of sensitive data online via S3 buckets have shown, affecting major mobile carriers, an entertainment company, a cable television provider, and so on. In September, I listed examples of half a dozen incidents that resulted in the exposure of cloud data in Securing Access to Data Stored in Amazon S3 Buckets.
A New Approach to Enterprise Security
These incidents demonstrate that gaining insight and control over how contractors access, maintain and house your data is essential to reduce the risk of data exposure. While this can be quite difficult for large organizations that often work either tangentially or closely with hundreds of contractors, keeping track of how sensitive (especially classified) data is accessed, and by who and what, should be first priority.
Enrolling your users and endpoints (devices like laptops, smartphones, PCs, etc.) into inventories; identifying endpoints as trusted using digital certificates and creating access policies based on the authenticated combination of user and endpoint are all steps to take in establishing a new framework for enterprise security, known as BeyondCorp.
Developed by Google, this allows an organization to enforce the same security policies, regardless of the location of the user, device or application. It's a zero-trust security model that ensures both the trust of the user and device before granting access to the applications and data. This model can also address risks posed by external, cloud-based applications that can face attacks that fall outside of traditional enterprise perimeter protections. While not a replacement for these traditional protections, it is a necessary enhancement.
Learn more about the security philosophy of BeyondCorp in Moving Beyond the Perimeter: Part 1, and how to implement the principles in your organization using Duo Beyond in Moving Beyond the Perimeter: Part 2.