[BreachExchange] AWS S3 security falls short at high-profile companies

[Destry Winant]

https://searchcloudsecurity.techtarget.com/feature/AWS-S3-security-falls-short-at-high-profile-companies

Amazon Web Services takes unusual measures to prevent data from
leaving its data centers, estimated to house between 50,000 to 80,000
servers. Physical hard drives are shredded, hole-punched, totally
destroyed. Google follows a similar practice.

"Humans and data don't mix," said Stephen Schmidt, the CISO for AWS,
during the company's Security State of the Union summit last November.
"Keep the people away from the data."

While those tactics may sound extreme to many companies, human
errorhas taken its toll, leading to high-profile data leaks in the
cloud, chiefly with AWS S3 security. Instead of developers using
Amazon's internet cloud storage, untrained IT staff and business
personnel are depositing data in the cloud.

"We tend to think about misconfigurations and AWS buckets as being
something a very skilled IT professional has done, when no, that's not
the case," said Mounir Hahad, head of threat research at Juniper
Networks Inc. in Sunnyvale, Calif. "Very often, a group that has no
relationship with security went ahead and created something because it
was an easier and faster way to transfer data. The next thing you
know, the whole network is open to the world, and the data is leaked."

Financial publisher Dow Jones & Co., owned by News Corp., confirmed
reports in July 2017 that the company may have publicly exposed
personal and financial information of 2.2 million customers, including
subscribers to The Wall Street Journal and Barron's. The leak was
traced back to a configuration error in a repository in AWS S3
security. Dow Jones had intended to provide "semi-public access" to
select customers over the internet. However, access to download the
data via a URL was granted to "authenticated users," which
unfortunately included anyone who registered (for free) for an AWS
account.

Big-name problems

Accenture, Verizon, Viacom, Tesla and Uber Technologies are just some
of the high-profile names in the steady stream of companies that have
exposed sensitive information via AWS S3 security misconfigurations.
Some users forget to set up AWS bucket password protection; others
don't understand basic features in Amazon such as resource-based
access policies (access control lists) or bucket permissions checks
and unwittingly expose data to the public internet.

Customers have their choice of security configurations in the cloud,
but Amazon is also taking steps to help IT security teams enforce
behavior through tooling.

In November, the company updated its AWS dashboard, encasing public in
bright orange on the AWS S3 console so that cloud customers could
easily see the status of access permissions to buckets and their
objects. "We want to make it super obvious when your S3 bucket is open
to the public," Schmidt said.

The company added default encryption to all objects when they are
stored in an AWS bucket and access control lists for cross-region
replication. This functionality is free. Another new tool -- codenamed
Zelkova -- is aimed at AWS S3 security policies to help users identify
which one is more permissive than the others. Amazon Macie, a managed
service that uses machine learning to detect personally identifiable
information and intellectual property, has been available for S3 since
August. It works with CloudTrail, Amazon's log management service.
According to Schmidt, every new service or feature -- 1,042 in 2017
alone, as of the end of November -- has to go through an application
security review. Almost half of the AWS functionality introduced in
2017 -- 467 features -- focused on security.

As with on-premises networks, information security in the cloud
requires continuous monitoring: How often are people logging into
systems? Does the IT staff check who is accessing source code?

"When you go to the cloud, you are actually facing a new reality,"
Juniper Networks' Hahad said. "Unfortunately, there is a misconception
among a lot of IT organizations that whatever happens in the cloud is
kind of not their responsibility.

"I think IT organizations all the way up to the CISO should not
abdicate their role -- they are the guardians of any intellectual
property. What we see happening very often is that they allow various
entities within the organization to go ahead and create AWS or
Microsoft accounts, and you lose control over what is going on."

Amazon's own model is driven by security expectations and leaves
little to chance. The company keeps careful constraints around its
staff, watches what they do every day and instructs service teams to
restrict access to data through tooling and automation. In addition to
privilege separation, Amazon rotates credentials and enforces short
lifespans -- sometimes measured in hours, according to Schmidt.

Still not patching

The biggest threats to cloud data for most companies involve
misconfiguration or lack of patching, noted Andrew Nielsen, formerly
CISO at Druva, a data management-as-a-service startup based in
Sunnyvale, Calif. "So many organizations have been breached because
they didn't keep up with patches," Nielsen said.

Cloud data management services are on track for growth, attracting
startups such as Druva and Rubrik as more companies look for data
center backup and recovery. Emerging companies are entering a space
dominated by Dell EMC, IBM, Commvault, Veritas Technologies and
others.

"The struggle we see is a lot of organizations are really good at
managing infrastructure in their data center -- they're maturing their
tooling, and they've got operational procedures -- but when they move
to cloud, a lot of that shifts," Nielsen said. "They need new tool
sets along with skill sets that they've got to acquire, and that's
where we see a big gap."

What's the best way to deal with patching? "Shoot the old version in
the head once you have the new one running," according to Schmidt.
Amazon enforces Federal Risk and Authorization Management Program
(FedRAMP) standards for security assessment, authorization and
continuous monitoring across its internal infrastructure; uses
canaries -- positive and negative -- when designing new services; and
employs AWS encryption everywhere.

How can CISOs better manage configuration changes? With the shift
toward DevOps, new intrusion detection platforms -- such as Threat
Stack -- look at malware and remote adversaries breaching environments
and what internal employees are doing in production. The
subscription-based software as a service integrates with products --
DevOps tools (like Chef and Puppet), Amazon machine instances, Docker
and more -- that IT teams use to configure and automate their
deployments. The technology supports cloud configuration auditing,
behavioral analysis and threat detection across hybrid cloud
infrastructures. Other companies in the AWS cloud security and
compliance space include CloudPassage, Dome9 Security and Evident.io.

"Amazon can show you there was a network connection, but what they
can't do is show you what is happening inside the operating system or
the server," said Sam Bisbee, CSO at Threat Stack, a Boston-based
startup.

"When Alice logs into the production database, what does Alice
actually do when she logs in? Are engineers leveraging all [of our]
build pipelines and this great automation? Or are they logging into
servers and manually changing config files, which creates
availability, security and compliance concerns," Bisbee said.

Greater visibility may help as problems with AWS S3 security continue
to plague companies, both large and small. Putting a stop to AWS
bucket misconfigurations may require enacting policies that limit the
damage caused by untrained or careless employees.

"It is kind of hard to say [this], but I personally believe that
sometimes you have to implement heavy penalties for infractions,"
Hahad asserted. "The CISO should tell employees of the company, 'Here
is the framework within which we are going to work, and any division
from this framework is going to be penalized.'"