Recent news stories about cloud computing solutions have highlighted its role data leaks. Organizations that have suffered from leaks range from the Republican National Committee to Verizon, and more recently Dow Jones Publications (the parent company of The Wall Street Journal). Events like these cause some to question the security of cloud storage solutions. Before jumping to broad conclusions it’s important to evaluate the details behind the stories of the three leaks from the RNC, Verizon, and Dow Jones. What comes to light is not a weakness in the idea of cloud computing, but rather a misunderstanding of the solutions, and a mishandling of information that resulted in basic security failures.
Like many organizations with large accumulations of data to manage, they looked toward the cloud as a strategic computing resource. All three organizations were using Amazon Web Services Cloud Computing (AWS), which has quickly become an industry standard for cloud computing. Amazon’s business model is based on renting server space to organizations and individuals to store data, run complicated simulations, or host a website. Verizon, Dow Jones and the RNC all used AWS to manage client data, including names, addresses, and credit card information. The internal investigations of these companies revealed that the data was accidentally made public by an employee. An employee error, not a malicious hack, caused personal customer data to be made public.
When setting up security group access to the data the employee apparently [mistakenly] selected an option that would allow anyone with an Amazon Web Services account to access the data rather than just approved users. All three instances of this error were quickly discovered by cyber security companies trolling for this type of vulnerability. In each case, the security gaps were immediately reported and each organization quickly reacted by notifying the public that none of the exposed data was stolen. While each contends that everything should be just fine, any time data is inadvertently exposed it is startling trend none the less.
One might think that the solution is to avoid cloud computing altogether with a misguided assumption that these environment are clearly not secure and cannot be trusted. After all, the security of an organization’s data is paramount to its ability to function and maintain public trust. Unfortunately, this is the wrong lesson to learn from the rash of cloud computing security mishaps. A better takeaway is that organizations need to be more careful, and educated about the technologies they implement. The oversight of using an incorrect security setting is one born of a lack of knowledge about how AWS or cloud technologies work and how to effectively use them. An avoidable mistake that is easily addressed with education.
The way to systematically avoid security mistakes like this is twofold; 1) integrate security into every business process, 2) Conduct periodic self-audits
First, integrating security into business processes ensures that mistakes are avoided at every level. If every employee understands and recognizes the importance of keeping consumer data secure, the organization adopts a proactive security posture that dramatically reduces risk and ultimately results in fewer mistakes. This integrated approach saves time and effort, and produces a much more consistent result.
Second, the security program for of any kind of new process or tool (such as cloud computing) should be audited frequently. If an employee from Verizon had gone home and tried to access the consumer data they would have quickly found the vulnerability, and could have expeditiously addressed the issue. Another option is to engage third-party resources to conduct an audit. External auditors are not encumbered with the same constraints as internal audit resources. There are plenty of companies that will test the security of an organizations systems and help to rectify any weaknesses.
As organizations become more and more dependent on modern technologies, like cloud computing, they need to become educated on the potential pitfalls and how to avoid them. Progress is paramount to having a competitive business or organization. However, there needs to be a conscious effort to maintain security with every innovation.