When news of the latest government data breach breaks, most will conjure up images of nefarious hackers exploiting networking vulnerabilities. For others, their thoughts may turn to agencies relying on aging IT systems that no longer keep pace with today’s cyber threats.
However, there is a new breed of breach developing, aimed at the cloud storage buckets offered by Amazon, Google, Microsoft and other vendors. These compromises take place when organizations actually alter permissions that open the door for unauthorized users to access their cloud data.
These “leaking buckets” of data are a widely overlooked security risk that goes unnoticed until disaster strikes. It is time to acknowledge that achieving a quick transition to the cloud can no longer be prioritized over security.
The Perfect Storm of Vulnerability
Most IT professionals are familiar with the basic cloud storage structure: all of an organization’s cloud data is housed in “buckets” that are used to organize information and control access. Buckets cannot nest under one another like in a traditional file storage structure, and each must be assigned a unique name.
By default, bucket contents are private; however, those settings are changed for a variety of legitimate reasons such as providing customer or third-party access to data. Bucket privacy settings are also sometimes overlooked or misunderstood by personnel unfamiliar with the cloud landscape – a risky oversight, considering buckets that are configured as public can be accessed by anyone who has the link.
A staggering number of private and public sector breaches – including the U.S. Army, Pentagon, and National Security Agency (NSA) – prove there is a fundamental disconnect between cloud security settings, bucket-naming conventions and who is ultimately responsible for securing cloud data.
The crux of this cybersecurity epidemic is the fact that the cloud bucket namespace is global and publicly visible. When combined with misconfigured permissions and easily-guessed names, this creates a perfect storm of cloud data vulnerability.
Four Ways Agencies Can Secure Cloud Data
Implementing best practices for naming buckets is key to keeping organizational data off the radar of probing hackers. Security measures should also be in place to prevent access through brute force or other attacks if a cloud bucket is discovered. Below are four foundational steps federal agencies should take to protect cloud data:
- Add complexity: Make bucket names unguessable
As with passwords, the longer and more complex bucket names are, the better: names should be 64 alphanumeric characters or longer. Do not include the agency name, user IDs, email addresses, project names, or other identifying information in bucket names.
- Use tarpitting: Slow down attackers
Discovering an agency’s cloud bucket does not automatically equal compromise – a login is still required. Tarpitting security technology, which makes processing time progressively slower with each successive failed password attempt, can prove a significant deterrent for hackers looking to quickly access data.
- Limit password attempts: Block brute force
Through brute force attacks, intruders deploy software that does the work for them by generating a large number of consecutive password guesses until one works. Establishing login attempt caps is an easy way to deter these types of attacks.
- Stay informed: Alert security personnel of problems
It is much more difficult for an agency to gauge its security stance or detect public cloud buckets if it is unaware it is being targeted. Security software should be configured to alert security personnel of multiple failed password attempts in order to determine if the issue is more than just a forgetful user.
The scale of government enterprise cloud storage often results in sprawling bucket systems, and applying secure naming standards can represent just one of many challenges to organizing and managing cloud data.To ease the burden, states should consider turning to solutions providers structured to meet the unique needs of federal organizations, whose cloud applications already integrate the strongest security standards. State cloud data – much of it entrusted to the government by the citizens it serves – requires the utmost privacy and security protections available; only then can agencies fully unlock the transformative benefits of cloud implementation.
