This week brought another set of headlines about a large data breach—this time at Capital One. In this case, the alleged attacker is domestic and the federal indictment provided some details of how the breach occurred.
In this case, a misconfigured firewall allegedly allowed Paige Thompson to remotely execute commands against an Amazon Web Services (AWS) server. Using this misconfiguration, Ms. Thompson obtained security credentials, enumerated storage buckets, and synced data. While Ms. Thompson previously worked for AWS, reports indicate that this was not a breach of Amazon’s systems, it was a configuration error by Capital One that was immediately resolved when they received the responsible disclosure from someone who became aware of Ms. Thompson’s data theft.
Amazon went as far to tell Newsweek: "AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud."
IT and security professionals have been speaking to this issue since the infancy of cloud computing. When customers place their applications and data with cloud providers there is a shared responsibility for securing the environment. While there has always been concern about using cloud providers due to security risks, the reality is that every reported security breach on a cloud platform was due to customer issues, not the cloud provider, and could have been avoided. In this shared responsibility model, cloud providers have filled their responsibility and are regularly trying to do more to help the customer fulfill theirs.
As the growth of cloud computing increases, we are seeing an increase in these types of leaky configurations. Cloud vendors, like AWS, have recognized this risk and increased the availability of tooling with CloudTrail and Trusted Advisor, but is that enough? At what point will IT leaders and the industry expect more out of the major cloud providers?
The response to this question across the industry is often that this can happen with on-premise solutions as well and that the blame lies with the customer. While true, this feels like a deflection when what is needed is an increased commitment to doing right for cloud customers. Cloud vendors could benefit from looking to other industries, such as auto manufacturing, for how to protect their customers.
Automobile accidents and fatalities are a regular occurrence. I drive both a 2018 Buick Regal TourX and a 1939 Pontiac Deluxe Series 28. With 80 years of technology enhancements between them, you can easily identify which one is safer to drive and survive a collision and there is a reason that, when I drive, one of them never sees the highway, dark roads, or a drop of rain. While some safety enhancements over the past 80 years are regulated, many were added by the manufacturers out of a desire to protect their customers. And it has worked. According to the NHTSA, US fatalities from car accidents in 1939 were 10.83 per 10m vehicle miles traveled. In 2017, the latest year available, fatalities have dropped to 1.16 per 10m VMT.
If the manufacturer, General Motors, had the same response as the cloud industry, they would say people died on bicycles and horse-and-buggy accidents as well. As General Motors enhanced vehicle safety, they could have chosen to not improve the safety technology by saying that you could die in previous generations of their car and in competitor’s cars. Instead, they continued to evolve the protections in the vehicles and with each generation of car,improvements have been made.
Sure, we are not talking about life and death when it comes to the Capital One breach, but it is time for cloud providers to take the same approach as automakers in a commitment to continual improvement. Learn from each one of these customer breaches. Identify what happened and build features to help customers from repeating the same mistakes. Turn these features on by default and make them front and center. Create a risk register on the cloud portal that identifies potential configuration issues. Require administrators to review and acknowledge the risk. Remind them again at some future date to make sure they are still aware of the potential risk. Evolve the threat modeling tools to identify new risks and make newly identified risks front and center for the customers. Help shrink the envelope in which cloud administrators can create security issues. In defense of the cloud providers—they have made significant strides in assisting their customers with secure configurations, but the pace of change is so fast, it is often difficult for cloud customers can keep up.
Over its 101-year history, GM’s safety culture has failed at times. At times that culture has been challenged to improve by horrific safety failures and other times by lawsuits and regulators. But throughout its history, it has continued to evolve its product and provide safety features its customers were not yet asking for in order to improve the survivability of its customers. Cloud providers need to feel that same level of responsibility to their customers by helping them protect themselves. If they don’t, they may find regulators will do it for them.
Ensure you're leveraging the existing toolsets available in their cloud platforms. As mentioned above, there are several mechanisms for environment monitoring. Additionally, they need to ensure their technical staff has the training to leverage these features – which cloud providers offer for free.
Engage cloud vendors or knowledgeable third-party firms for environment reviews. AWS provides a framework and tools to conduct a ‘well-architected’ review of their cloud environments, and West Monroe can provide a ‘Cloud Assessment and Roadmap’ to ensure best practices are followed, including security
There are several third-party tools that scan cloud environments for best practice adherence and security framework compliance. The West Monroe Managed Services team leverages CloudCheckr to confirm environments follow cloud provider best practices. The tool can even determine if an environment meets various compliance and security frameworks, such as PCI, HIPAA, and CIS. Security tooling can reduce risk while your technology team trains on security best practices.
Execute threat modeling exercises to identify a) high value assets, b) most probable vulnerabilities, and c) most relevant threats. Products like securiCAD Vanguard can help automate these modeling experiences by integrating with the APIs of your cloud environments.
Cloud providers like Microsoft and Amazon have both started providing tools to help clients secure their cloud infrastructures. As long as these breaches continue to happen, they must continue to enhance their tools and improve their envelope protection. If they don’t, the market or regulators will require them to do so. Regardless, security responsibility will always be shared, so business and IT leaders must make sure they are doing their part.