Under New (Mis)Management: How Cloud Storage Gets Hacked

Businesses are increasingly moving to the cloud, and for good reason. With a cloud deployment, the organization does not have to host their own resources and only pays for the resources that they need (and can often lease more at need to handle sudden surges in demand). Responsibility for maintaining the services lies with the cloud service provider (CSP) and is enforced by a Service Level Agreement (SLA). The cloud provides convenience and scalability for any organization. 

The dark side of the cloud is the complexity of securing it. Many organizations have a perimeter-focused security strategy, and the cloud is outside of that perimeter. As a result, there is a need for new techniques for securing the cloud and for cloud security solutions specifically designed to operate in that environment. 

Another major issue when dealing with cloud security is the fact that it is an environment that differs from what people are used to. While it may be perfectly acceptable to leave a file or database unsecured within the corporate network (since the organization’s defenses ensure that only authorized users can access the network), the same is not true of the cloud. As a result, many organizations have experienced data breaches caused by mismanaged security permissions.

Permissions in the Cloud 

The cloud is designed to be easily accessible. Since it’s hosted by an external service provider, it’s equally easy to access from inside and outside the organization, unlike on-prem solutions where remote or telecommuting employees need to configure and use a VPN in order to access it. As the workforce becomes increasingly global and distributed, accessibility is key to usability. However, resources that are easily accessible to legitimate users may also be accessible to unauthorized ones. One of the most common ways that data stored in the cloud is leaked in a breach is by misconfigured security settings.

Most cloud storage solutions have two main privacy options: private and public. In private mode, you need to explicitly invite every single person who is supposed to have access. This can be a major inconvenience, but it decreases the probability of someone unauthorized gaining access.

The other permissions option is public, which means that anyone who knows how to find the cloud data store can access it. This option may appear to have a level of “security through obscurity” since you wouldn’t expect a random hacker to be able to guess the URL of your Amazon S3 bucket. However, tools exist for scanning for these repositories, making it possible for hackers to find and breach these datasets.

Cloud Storage “Hacks”

Unsurprisingly, many of the big breaches of data stored on the cloud involved repositories with public security settings. In many cases, it’s difficult to tell if the data has ever really been “breached” since it was discovered and reported by ethical hackers proactively scanning for vulnerable cloud deployments. However, in many cases, the fact that some data was left in locations where it could have been exposed is bad enough, whether or not it ever actually was.

You may think that only organizations with a limited amount of cybersecurity know-how at their disposal would make the mistake of putting sensitive data in a public cloud data storage repository. However, some of the worst stories come from the US federal government and the contractors that work with them.

In 2017, a large trove of data on American voters was found on an exposed cloud deployment owned by Deep Root Analytics (a firm that does data analytics for the Republican Party). The size of the breached dataset (records on 198 million voters) is bad enough. However, the problem is made worse by the data itself. Collected (and potentially breached) data included standard PII (name, address, date of birth, and phone number) but also included information designed to “profile” the voter including ethnicity, religious affiliation, etc. This data is useful for targeting political ads, but would also be a treasure trove to hackers designing spear phishing scams.

Another story of inappropriately exposed data comes courtesy of the US military. In late 2017, an archive of intelligence data collected from public data sources (social media, etc.) was found in an exposed Amazon S3 bucket. The collected data appeared to be from an operation to monitor foreign youth and manipulate them away from becoming terrorists. No attempt was made to conceal the ownership of the data, with filenames containing the abbreviations for US Central Command (CENTCOM) and Pacific Command (PACOM). While the programs that collected this data were not secret, exposure of terabytes of the collected data and associated metadata is still a significant security leak.

Keeping Your Data Secure

Cloud storage providers like Amazon have been taking significant steps to cut down on the amount of sensitive data exposed in public cloud deployments. They provide tools for scanning for misconfigured security settings, set the deployments to private by default, and provide many visual clues to users if settings are not configured securely. However, organizations keep misconfiguring permissions, and ethical hackers keep finding and reporting vulnerable data stores.

When dealing with the cloud, it’s important to understand that the increased accessibility and convenience compared to on-prem deployments also makes it a target. Deploying a cloud security solution to protect cloud-hosted applications and a data management solution to identify and protect potentially vulnerable data stores are essential steps in avoiding a cloud-related cybersecurity incident.