One of the most common causes of data breaches is the misconfiguration of cloud services caused by user or administrator error. The concepts used in cloud computing are nothing new- in fact, the idea of renting resources on someone else’s server dates back to before the personal computer. There are many benefits to storing data, servers, and other resources in the cloud, primarily that it provides easy access to these resources from anywhere. However, the advent of inexpensive cloud services has encouraged businesses of all size to remain “always-on” and enabled organizations to rapidly deploy new technology, sometimes without the intervention of IT staff (this is commonly referred to as “shadow IT”) This “Shadow” infrastructure is often implemented without the expertise of Information Technology or Security departments and may not specifically align to business processes or goals potentially leading to improper configuration; often such systems are implemented specifically circumvent such departments and processes. When not properly secured, the accessibility that has made cloud platforms successful can also lead to a data breach.
For those unfamiliar with the inner workings of cloud computing, you can think of the cloud as a self-storage locker. You’re renting out space in a common area, but it’s your responsibility to secure your property. When organizations lack full understanding of the security implications of the cloud platform, human error often arises during the configuration process; this human error was determined to be the root cause of nearly 25% of breaches in 2019 (IBM/Ponemon – 2019 Cost of Data Breach Report).
This issue is not limited to small and medium Businesses who are generally assumed to be less familiar with cloud computing concepts. Businesses of all sizes fall victim, and larger organizations are generally more reported on when discovered. At the time of writing, there have already been three significant instances of improper cloud security leading to the discovery of publicly exposed data in just the first month of 2020.Each of these instances is briefly detailed below:
Who: THSuite (A Point-of-Sale System for the Medical Cannabis Industry)
What:30,000+ Records of personal information (ID’s, names, addresses)
Where: Amazon S3 Bucket (Cloud Storage)
Who: Amazon AWS (The cloud services arm of Amazon)
What: Nearly 1GB of Security Keys, Credentials and Personal Information (ID’s, Contact Information)
Where: GitHub (Code Sharing Service)
Who: Microsoft Support (Technical Support for Microsoft)
What: 250 Million+ Customer Service Records
Where: Elasticsearch Servers (Cloud Database)
You might be thinking, if some of the largest organizations in technology have trouble protecting against user error, what hope does my significantly smaller business have? The fact of the matter is that you may be small, but you are mighty – it is usually easier to impart change at a smaller business. It’s also potentially easier to enforce policies and monitor compliance.
Pop Quiz! Where are your company’s IT policies? Can you pull up the acceptable use policy for your organization in less than a minute? Did you sign this policy? Has it been documented that it was reviewed or updated at some point in the last calendar year? If you said no to any of these questions, how can you expect your employees to know their responsibility in securing your organization? A good acceptable use policy doesn’t need to be anything special, but it should govern how the average employee is expected to use their equipment and provide critical controls to safeguard your business against data breaches. This should include some sort of language informing your employees that software and services are defined by management, and that users require approval for any software or services that aren’t already approved.
Your company should also have a documented list of the software and cloud services that are used and (most importantly) approved. This document can help you guide targeted audits of cloud services, maintain licensing compliance, and implement a software whitelisting application that prevents unapproved software from running on your workstations. Like all documentation, it should be reviewed annually or after any major change to ensure that it is accurate. Any time that a change is made to a cloud system (for example, a cloud-hosted server or file share), testing should be conducted from outside of your organization to confirm that these services are not publicly available.
You should strive to make your IT department the “Department of Solutions” instead of the “Department of No”. Even with guidance from management, it can be tempting to view technological restrictions as the IT department enforcing strict control that prevents employees from working effectively. These situations are what often cause “shadow IT” to occur within an organization.
When an employee makes a request to use software or a service that is not currently approved, the IT department should do their due diligence to identify suitable alternatives to achieve the same end result using preapproved softwares and services. For example, if a user requests to use Dropbox to securely send a small file to a vendor, it may be beneficial to explore using Office365 mail encryption or OneDrive features instead. In this hypothetical scenario your IT staff is already supporting the Office365 environment and has specifically implemented security controls based on how this system is used, it is generally easier and more supportable to implement a system you already have rather than attempt to implement another to achieve the same goal. Office365 email encryption could be integrated into a more cohesive DLP (Data Loss Prevention) program to automatically encrypt specific messages (such as sensitive invoices) or leverage your existing secuirty groups to keep files on OneDrive need to know. Always avoid simply referring a user to the policy when requests come in that cannot be accommodated immediately.
By implementing strong governance, maintaining detailed documentation, and providing great customer service to your employees, any organization can begin to protect themselves against shadow IT and misconfiguration, two common causes of cloud service vulnerabilities. While this doesn’t guarantee that best security practices are followed (unless they are properly documented) it does lay the groundwork necessary for a mature security program within your organization.