Get Your Head Out of the Clouds – Only You Can Protect Your Data
Interesting article I just read. It seems Kromtech Security Center researchers stumbled upon a FedEx Amazon Web Services (AWS) Simple Storage Service (S3) bucket, finding that it contained more than 119,000 scanned documents, including passports, drivers’ licenses, and also Applications for Delivery of Mail Through Agent forms, which contain names, home addresses, phone numbers and ZIP codes.
The victims included citizens of countries around the world, including Australia, Canada, China, EU countries, Japan, Kuwait, Malaysia, Mexico, and Saudi Arabia. The bucket was inherited from Bongo International, purchased by FedEx, relaunched as FedEx Cross Border International, and then closed down in 2017, but the bucket remained open. That’s the lowdown.
FedEx maintains that no nefarious activity occurred during the S3 bucket public availability. Not so fast, says Tim Prendergast, CEO of Evident.io, who noted nonetheless, it’s a fact that hackers are actively searching for these kinds of misconfigurations. According to Mr. Prendergast, “Hackers are going after S3 buckets and other repositories because that’s where the data is but also because they’re easy to find. There’s a whole hacker cottage industry around finding and exploiting S3 buckets, and it’s growing because as cloud environments grow, so do the number of unsecured assets that are discoverable.”
This brings up a bigger problem. Many companies aren’t aware of the ‘cloud rules’ in protecting information. In fact, many companies are just plain old confused. Of course, if an incident such as that just mentioned happened to them, they would learn very quickly who is responsible for what. Most public cloud providers do not, and I repeat, do not have anything to do with protecting your data. You do.
So what are the statistics?
- 40 percent of organizations think their ISP will protect their organization from distributed denial-of-service (DDoS) attacks
- 30 percent think their data center or infrastructure partners will provide protection from cybersecurity attacks
- Organizations think their cloud providers can protect against ‘smart attacks’, which use encryption or mimic end user behavior
- 30 percent don’t do anything because they don’t feel it will happen to them
If you form part of those statistics, or your executives do, then you need to go to the back of the class. Whichever rigorous policies and processes are applied on-premises also need to be addressed in the cloud. Ideally, these should be transparent to end users, and can be deployed in any environment, including mixed environments. Why reinvent the wheel when you have something that works?
How can we help? Well, we can:
- Properly track the collection and movement of data, regardless of source
- Effectively identify and protect any sensitive and privacy data, in real time
- Automatically identify documents of record, and automate disposal or archive
- Create workflow capabilities that enable the deployment of processes and procedures across environments
Currently, the majority of our clients are using hybrid environments. Our technology protects your content, even if no one else will.
Do you think that your organization fully understand the different responsibilities in a cloud environment?
Join us for our Enough Talk – Solving GDPR Problems Through Metadata-Driven Compliance webinar, on Wednesday, March 14. This session explains not only the ramifications of General Data Protection Regulation (GDPR) but also how to address the compliance issues. It examines the tactical aspects of the solution, little-known stumbling blocks, and different tools that automate changes and provide an audit trail for compliance.