Corporate data “rainstorms” and “drizzling” from the Cloud – let’s stop the bigger threat
When reviewing the categories of threat vectors responsible for the largest data leaks that hit corporate IT in 2017, it springs to mind that this year should be nominated as the “Year of Clouds Raining Corporate Data”.
- The “rainstorm” season began on the 31st of May when hackers successfully obtained access to OneLogin’s customer data on a virtual server running in Amazon Elastic Compute Cloud (EC2).
- A week later, on June 8, an employee of Nice Systems, an Israel-based company partnered with Verizon, incorrectly configured their Amazon Web Server (AWS) storage to allow uncontrolled external access that exposed millions of Verizon customer records.
- Four days later, on June 12, the largest US voter database leak was discovered by security firm UpGuard. On this one, an unprotected database with personal information of 198 million American voters was found on a publicly accessible cloud server belonging to media analytics firm Deep Root Analytics that was contracted by the Republican National Committee (RNC). The cause of this data breach was a mistake in configuring a security setting.
- In July 2017, “thousands of files containing the personal information and expertise of Americans with ‘Classified’ and up to ‘Top Secret’ security clearances”, according to Gizmodo, were discovered in public access on an AWS S3 data storage bucket. Personnel of TalentPen, a company operating this repository, just forgot to set up any password to protect the data.
- The next “data rainstorm” came down from Viacom, an $18 billion multinational corporation, when on the 30th of August, researchers from UpGuard found an open misconfigured AWS S3 bucket where “the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure.”
- On September 17, a trove of corporate data not protected even with a password was discovered on Accenture’s four cloud-based servers.
- Literally the next day, September 18, more than half a million unprotected customer records were found on a misconfigured AWS S3 bucket used by SVR Tracking, a vehicle tracking service provider headquartered in San Diego.
- And the last so far was a data breach in Australia in October 2017 where personal details of 50,000 Australian employees of government agencies and private companies were been exposed online by a third party contractor due to, again, an error in configuration of a cloud-based server.
The most remarkable aspect is that all these cloud data leaks – with the exception of OneLogin – were caused not by a hacking attack nor by a malware-exploited system vulnerability, but by simple human mistakes. The tenant’s administrators or contractors either improperly configured security settings for databases in Amazon S3 buckets or even forgot to protect them with a password, thus leaving customer information or sensitive corporate data freely accessible for everyone “mining” the Internet.
These cases are another confirmation that the root cause of many corporate data leaks is insiders. In these situations, administrators who are directly responsible for protecting valuable business data failed simple security tasks. At the same time, it is another painful reminder that in spite of all organizational measures – special trainings, certifications, strict corporate data security policies and procedures, and audits – the human nature of security administrators remains the same as the behavior of typical end users: susceptible at the very least to accidental mistakes and negligence.
The enormous size of such data leaks as those RNC, Verizon and Accenture have suffered, as well as the reputational and financial losses incurred by them, are striking indeed and attract a lot of public and industry attention. However, although sensationally damaging when evaluated individually, as a category, these corporate “data rainstorms” from the Cloud are rather isolated and not so many of them have been happening even when counting globally.
And, if we look at the problem of cloud storage-related data leaks from a wider perspective, it becomes evident that the total negative impact of incidents with cloud-resident corporate databases pales in comparison with potential aggregate losses for millions of organizations worldwide from another data leak threat vector that is created by cloud services and is dependent on the human element as its key enabling factor. This vector is cloud file sharing – e.g. Microsoft OneDrive, Google Drive, Apple iCloud, Box, Dropbox, etc. – that is available for most corporate users on their personal and business computers by using either relevant desktop clients or via any web browser.
The mechanics of data leaks via cloud file sharing is trivial and fully attributed to human nature. By accidental mistakes, negligence or with a malicious purpose, users upload documents with confidential business data to their personal or corporate accounts at a cloud storage provider where unauthorized persons such as, in most cases, friends and family members or sometimes anyone from the Internet can freely access and download these documents. The scale of these leaks should not come as a surprise, because it is actually insiders, (i.e. legitimate business users), who generate and use information in any organization. Therefore, most business data, including confidential, are created, processed and stored on end user’s endpoint devices – primarily personal computers. If data uploads from these computers to cloud storage are not controlled by the organization, this vector of exfiltrating sensitive business information to the wild remains nearly completely open.
Huge in their total global damages, these “drizzling” data leaks from file sharing clouds are happening daily in corporate IT systems worldwide. Yet, many of them remain latent because in each individual case, for instance, when a single sensitive document got leaked, it usually leads to rather small, omissible business damage. Even if these leaks are detected, most organizations tend to just tolerate and hide such incidents if not under compliance governance. Another reason is that nobody independently warns victimized organizations and the public on file sharing data breaches, because in the current IT security ecosystem there are no such dedicated specialists for externally monitoring this particular threat vector as UpGuard and Kromtech Security Center have become for incidents with unprotected Amazon S3 buckets.
Regretfully, in real practice, pure organizational measures like user training, instructions and policies have proven to be insufficient for eliminating the probability of human mistakes and misconduct. In addition to these measures, prudent companies concerned with the cloud data leakage threat should utilize content-aware technical solutions – like DeviceLock DLP – in order to enforce corporate data security policies for scenarios when users upload and store data from managed endpoint computers into the Cloud.
With DeviceLock DLP, security administrators have two mechanisms of such enforcement. First of all, when users access cloud file sharing services from web browsers, the DeviceLock Agent selectively controls user permissions to connect to specific cloud storage services, download and upload files. In addition, the content of uploaded files is inspected and uploads of files with data prohibited by centrally defined DLP policies are blocked, while detailed parameters of these operations can be logged and, if necessary, complemented with the shadow copies of blocked files. What uniquely differentiates the DeviceLock Agent is that its NetworkLock module uses agent-resident Deep Packet Inspection (DPI) technology to control network communications of the host computer. In contrast with other endpoint DLP solutions, NetworkLock’s DPI controls are browser-independent – as a result, DeviceLock DLP ensures universal control of user communications to cloud storage services via any web browser regardless of which one is chosen by the user.
The second equally effective mechanism of preventing users from storing prohibited data in the Cloud is enforced by DeviceLock Discovery – a separate DeviceLock DLP component aimed at preventing leakage of stored data-at-rest. By automatically scanning files in the end users’ local synchronization folders of cloud file sharing applications installed on corporate computers, DeviceLock Discovery Agents locate documents with prohibited content and eliminate discovered policy violations by enforcing various remediation actions, as well as initiating incident management procedures by sending real-time alerts to security administrators or SIEM systems used in the organization.