Brian Jackson - Fotolia
AWS S3 bucket security falls short at high-profile companies
Everyone is putting their data in the cloud, from IT staff to department heads. With functionality galore, basic security measures too often go unchecked.
Amazon Web Services takes unusual measures to prevent data from leaving its data centers, estimated to house between 50,000 to 80,000 servers. Physical hard drives are shredded, hole-punched, totally destroyed. Google follows a similar practice.
"Humans and data don't mix," said Stephen Schmidt, the CISO for AWS, during the company's Security State of the Union summit last November. "Keep the people away from the data."
While those tactics may sound extreme to many companies, human error has taken its toll, leading to high-profile data leaks in the cloud, chiefly with AWS S3 security. Instead of developers using Amazon's internet cloud storage, untrained IT staff and business personnel are depositing data in the cloud.
"We tend to think about misconfigurations and AWS buckets as being something a very skilled IT professional has done, when no, that's not the case," said Mounir Hahad, head of threat research at Juniper Networks Inc. in Sunnyvale, Calif. "Very often, a group that has no relationship with security went ahead and created something because it was an easier and faster way to transfer data. The next thing you know, the whole network is open to the world, and the data is leaked."
Financial publisher Dow Jones & Co., owned by News Corp., confirmed reports in July 2017 that the company may have publicly exposed personal and financial information of 2.2 million customers, including subscribers to The Wall Street Journal and Barron's. The leak was traced back to a configuration error in a repository in AWS S3 security. Dow Jones had intended to follow a policy to provide "semi-public access" to select customers over the internet. However, access to download the data via a URL was granted to "authenticated users," which unfortunately included anyone who registered (for free) for an AWS account.
Accenture, Verizon, Viacom, Tesla and Uber Technologies are just some of the high-profile names in the steady stream of companies that have exposed sensitive information via AWS S3 security misconfigurations. Some users forget to set up AWS S3 bucket password protection; others don't understand basic features in Amazon such as resource-based access policies (access control lists, or ACLs) or bucket permissions checks and unwittingly expose data to the public internet.
Customers have their choice of security configurations in the cloud, but Amazon is also taking steps to help IT security teams enforce behavior through tooling.
In November, the company updated its AWS dashboard, encasing public in bright orange on the AWS S3 console so that cloud customers could easily see the status of access permissions to S3 buckets and their objects. "We want to make it super obvious when your S3 bucket is open to the public," Schmidt said.
The company added default encryption to all objects when they are stored in an AWS S3 bucket and ACLs for cross-region replication. This functionality is free. Another new tool -- codenamed Zelkova -- is aimed at AWS S3 security policies to help users identify which one is more permissive than the others. Amazon Macie, a managed service that uses machine learning to detect personally identifiable information and intellectual property, has been available for S3 since August. It works with CloudTrail, Amazon's log management service. According to Schmidt, every new service or feature -- 1,042 in 2017 alone, as of the end of November -- has to go through an application security review. Almost half of the AWS functionality introduced in 2017 -- 467 features -- focused on security.
Policy plan: Amazon's 'mechanisms to drive security'
AWS CISO Stephen Schmidt works with his team to set policy in terms of a series of expectations for the year. And there are measurable service goals for every service team in the company. A major aim is to "radically restrict" human access to data, which means restrict it by 80%, according to Schmidt. "It's to drive people to use tools for things that they would otherwise do by hand."
Schmidt's one-year plan includes the following:
- buy-in from leadership;
- radically restrict and monitor human access to data;
- source code security;
- log retention duration;
- credential blast radius reduction;
- credential lifespan reduction;
- Transport Layer Security implementation;
- AWS encryption everywhere; and
- canaries and invariants for security functionality.
As with on-premises networks, information security in the cloud requires continuous monitoring: How often are people logging into systems? Does the IT staff check who is accessing source code?
"When you go to the cloud, you are actually facing a new reality," Juniper Networks' Hahad said. "Unfortunately, there is a misconception among a lot of IT organizations that whatever happens in the cloud is kind of not their responsibility.
"I think IT organizations all the way up to the CISO should not abdicate their role -- they are the guardians of any intellectual property. What we see happening very often is that they allow various entities within the organization to go ahead and create AWS or Microsoft accounts, and you lose control over what is going on."
Amazon's own policy model is driven by security expectations and leaves little to chance. The company keeps careful constraints around its staff, watches what they do every day and instructs service teams to restrict access to data through tooling and automation. In addition to privilege separation, Amazon rotates credentials and enforces short lifespans -- sometimes measured in hours, according to Schmidt.
Policy fail: Still not patching
The biggest threats to cloud data for most companies involve misconfiguration or lack of patching, noted Andrew Nielsen, formerly CISO at Druva, a data management-as-a-service startup based in Sunnyvale, Calif. "So many organizations have been breached because they didn't keep up with patches," Nielsen said.
Cloud data management services are on track for growth, attracting startups such as Druva and Rubrik as more companies look for data center backup and recovery. Emerging companies are entering a space dominated by Dell EMC, IBM, Commvault, Veritas Technologies and others.
"The struggle we see is a lot of organizations are really good at managing infrastructure in their data center -- they're maturing their tooling, and they've got operational procedures -- but when they move to cloud, a lot of that shifts," Nielsen said. "They need new tool sets along with skill sets that they've got to acquire, and that's where we see a big gap."
What's the best way to deal with patching? "Shoot the old version in the head once you have the new one running," according to Schmidt. Amazon enforces Federal Risk and Authorization Management Program (FedRAMP) policy standards for security assessment, authorization and continuous monitoring across its internal infrastructure; uses canaries -- positive and negative -- when designing new services; and employs AWS encryption everywhere.
How can CISOs better manage configuration changes? With the shift toward DevOps, new intrusion detection platforms -- such as Threat Stack -- look at malware and remote adversaries breaching environments and what internal employees are doing in production. The subscription-based software as a service integrates with products -- DevOps tools (like Chef and Puppet), Amazon machine instances, Docker and more -- that IT teams use to configure and automate their deployments. The technology supports cloud configuration auditing, behavioral analysis and threat detection across hybrid cloud infrastructures. Other companies in the AWS cloud security and compliance space include CloudPassage, Dome9 Security and Evident.io.
"Amazon can show you there was a network connection, but what they can't do is show you what is happening inside the operating system or the server," said Sam Bisbee, CSO at Threat Stack, a Boston-based startup.
"When Alice logs into the production database, what does Alice actually do when she logs in? Are engineers leveraging all [of our] build pipelines and this great automation? Or are they logging into servers and manually changing config files, which creates availability, security and compliance concerns," Bisbee said.
Greater visibility may help as problems with AWS S3 security continue to plague companies, both large and small. Putting a stop to AWS S3 bucket misconfigurations may require enacting policies that limit the damage caused by untrained or careless employees.
"It is kind of hard to say [this], but I personally believe that sometimes you have to implement heavy penalties for infractions," Hahad asserted. "The CISO should tell employees of the company, 'Here is the framework within which we are going to work, and any division from this framework is going to be penalized.'"
Make people accountable, he advised, "and you will have a lot of ammunition to hold that position."