News

Study: Lax Security Enforcement Behind Rise in Amazon S3 Exposures

• By Gladys Rama
• 10/11/2017

A new report by cloud security firm RedLock spells out what the recent outbreak of Amazon S3 security errors already indicates: "Data exposures are on the rise because organizations are failing to adhere to established security best practices."

Last week, RedLock published its latest "Cloud Security Trends" report in which it analyzed data from its customers' environments (amounting to over 5 million cloud resources) between June and September 2017. RedLock found that among organizations using cloud-based storage services like Amazon S3, over half (53 percent) have experienced inadvertent data exposures. That's up 13 percentage points from May, when RedLock last published its report.

RedLock pointed to instances like the Republican National Committee leak (which exposed nearly 200 million voters) and the Dow Jones & Company leak (which exposed over 2 million customers) as examples of Amazon S3 buckets being misconfigured to be publicly accessible. Those two instances were reported in June and July 2017, respectively. There have been many more high-profile Amazon S3 flubs made since then, including those by Verizon, the Chicago Election Board, military contractor TigerSwan, Viacom and, just this week, IT services giant Accenture.

In each instance, the data exposure was traced to Amazon S3 buckets that were erroneously configured to allow public access. Such misconfiguration errors have resulted in the exposure of personally identifiable consumer information (affecting up to 6 million individuals in the case of Verizon) or of data critical to the integrity of an organization's IT infrastructure (as was the case with Viacom).

"[O]rganizations are still falling behind in effectively protecting their public cloud computing environments," said RedLock CTO Gaurav Kumar in a prepared statement, adding that "cybercriminals are actively targeting information left unsecured in the public cloud."

Failure to properly lock down assets stored in the cloud also means an organization risks falling out of compliance with key regulations like the Payment Card Industry Data Security Standard (PCI DSS) and the Center for Internet Security (CIS) Benchmarks. Indeed, RedLock found that 45 percent of organizations failed to meet CIS standards, and 48 percent failed to meet PCI DSS standards.

RedLock also found that more than eight out of 10 organizations leave host vulnerabilities unpatched, despite many of them having access to third-party vulnerability management solutions. "[O]rganizations are unable to map the data from these tools to gain cloud-specific context," RedLock researchers said in the report. "Specifically, identifying hosts that are missing patches by IP addresses is not actionable, since IP addresses are constantly changing in the cloud."

In more dire cloud security news from RedLock's report:

• The firm discovered 250 organizations that were unwittingly exposing their access keys and other cloud credentials on public-facing Web servers.
• Nearly four out of 10 organizations have had at least one user whose account has been "potentially" compromised.
• Nearly four out of 10 databases are exposed to inbound connection requests from the public Internet, with 7 percent of them getting requests from "suspicious" IP addresses.
• Nearly two-thirds (64 percent) of databases lack encryption.

"It's imperative for every organization to develop an effective and holistic strategy now to protect their public cloud computing environment," Kumar said.

RedLock's October "Cloud Security Trends" report can be downloaded here, with registration, at no charge.