Cloud security has been a hot topic recently. Over the past few months we have seen a variety of malware, ransomware, and other types of malicious attacks on public clouds. These have been examples of hackers taking deliberate, premeditated action to find and exploit private data. These are bad guys acting in a criminal way, and all effort needs to be made to stop them. Yet, as the recent Republican National Committee (RNC) data exposure issue demonstrates, criminal intent is not the only way that organizations are vulnerable.
Poor security policies, bad internal governance, and lack of attention can lead to disastrous outcomes for cloud users and their customers. Until continuous cloud security is treated as a mission critical discipline, organizations will continue to be at major risk.
In reading the details of the RNC case, it’s easy to roll your eyes and think, “Boy, how stupid are those guys?” Ah, there but for the grace of continuous security go I. The facts are these: the RNC stored a terabyte of personal information on 198 million voters in an Amazon Web Services (AWS) server that is owned and managed by Republican data and analytics firm, Deep Root Analytics. The data was personal information on almost all of the registered voters in the U.S., and was publicly accessible because of a misconfigured database; held in an AWS S3 bucket, it had no access protections. Essentially, the database was accessible to anyone with an internet connection.
Keep in mind, this wasn’t a hack. No malware was deployed. No ransom demands were made. As far as we know, no damage has resulted from this, other than a major black eye for the RNC (I’m guessing yesterday was tense in the Democratic National Committee’s IT department as they scrambled to ensure their own environment was protected). The issue for the RNC is that there are a lot of what-if scenarios, and none of them are good. Yet, as they backtrack to discover the root of the problem, they’ll discover that configuring that database correctly is a relatively easy task. Somehow it was missed, or some changes to Deep Root’s environment were made that rendered their data vulnerable without their awareness. But this is one of those moments where you kind of want to say, “You had ONE job.” It may have merely been an oversight, but it’s now on the front pages of newspapers across the globe.
Fault will be assessed and fingers will be pointed; it’s a big issue and one that lends itself to the narrative of an already tense political environment. This is happening with almost all cloud customers, too; there’s some hole in their environment. Some can be exploited through sophisticated malware, while others are simply open to anyone searching for misconfigured data sources. Much of the data that potentially is at risk is not terribly valuable, at least not without some context. But once someone is inside your house, so to speak, they essentially have carte blanche to take your stuff.
This highlights that security is not a one-and-done proposition. Enterprises need to both have a security-first culture among their stakeholders, but must also secure their environment through continuous and automated monitoring. The RNC is at fault for two big mistakes:
- Lack of continuous and automated security and compliance monitoring, coupled with remediation steps and processes.
- Poor security policy definition and enforcement. The RNC team surely has some level of security governance, but “intent to secure” isn’t enough.
These are table stakes at this point. Even without bad actors trying to bully their way into your infrastructure, when data is this available it’s vulnerable to simple mistakes and unintended actions. An unauthorized, but well meaning actor could inadvertently delete, change, or even duplicate files and share outside of the intended group of users.
Enterprises need to start with the basics: embed stakeholders with a culture of security with demands for complex passwords, multi-factor authentication, secure all layers of the cloud stack, ensure continuous security and compliance monitoring, and prepare for automated remediation. A compliance roadmap is especially critical (even mandatory) for government agencies and those working in government-related environments. Most importantly, however, IT and DevOps teams should be constantly monitoring and auditing the different parts of their internal operations to determine where vulnerabilities tend to happen, and employ strict and fast remediation policies to fix issues and ensure they don’t happen in the future.
Government organizations and those working with the government have the highest responsibility to enforce continuous security and compliance monitoring as they have an obligation to protect their citizen’s data. They have to have a mechanism and platform to ensure that protection is always operating at the necessary level.