Half of all companies using the Amazon Web Services (AWS) S3 cloud storage service suffered at least one data leak in 2017. In the majority of cases, it's not the security of this platform that's to blame. It's the lack of a corporate security policy that's the main reason!
Published in early 2018, a report by Crowd Research Partners (based on responses from 350,000 members of the information security community on LinkedIn) confirms that security remains the top concern for CIOs and IT managers.
Protection against data loss and breaches of confidentiality are of the greatest concern. Because these threats are real. According to a report published by RedLock in May 2018, almost a third of businesses had their accounts compromised in 2017 due to a lack of cloud security.
And the situation is even more worrying with Amazon Web Services. 51% of companies suffered a data leak last year. In most cases, the error is human and lies with the customer. For example, in the case of FedEx and Tesla, sensitive data stored on AWS S3 servers was not password-protected.
AWS : Machine Learning
In the case of Accenture in October 2017, it was an error in configuring "buckets" on the S3 storage service that was the cause of a data compromise (including identifiers, encryption keys and customer information...). But the worst was revealed last November by security firm UpGuard: a Pentagon subcontractor had leaked 1.8 billion posts on S3!
These leaks should more than incite professionals to put in place various safeguards to avoid becoming victims. Of course, these measures are not limited to Amazon. But given the importance of this heavyweight in enterprise cloud activities, it's essential to focus on AWS 3.
Amazon has invested a great deal of time and money in AWS security. The company has implemented various measures. In August 2017, it deployed its Macie service (for a fee). It uses Machine Learning to monitor data access and detect any anomalies.
But it's always possible that a security misconfiguration by an AWS customer or a sophisticated attack could create a vulnerability.
All these risks should prompt companies to deploy various processes to reinforce data security in AWS.
1# Control access to AWS
We can't stress this enough, but the first measure concerns the workstation. And therefore the user. On the one hand, companies need to raise awareness among their staff, so that they acquire the right reflexes and, on the other hand, let go of bad habits (such as the post it with the AWS password pasted on the PC screen...).
On the other hand, IT managers and CIOs need to reinforce access and profile controls: word management policies, partitioning of access by profession, data encryption... These are all "general" measures, but they are even more essential for cloud access, where ease of use and collaboration very often take precedence over confidentiality!
2# Be responsible
Leaving AWS security to Amazon is legally unreasonable. It's a bit quick to forget the co-responsibility between the customer and its subcontractors. The RGPD is very explicit on this point: it's 50/50. In the case of the cloud, Amazon (like other platforms) relies on a system of shared responsibility.
Amazon assumes full responsibility for the protection of its systems, including software configuration and physical computers, servers and connections. It is also responsible for detecting and blocking any intrusion or fraudulent access attempt.
But its customers are responsible for managing and configuring everything that happens inside AWS. This includes all the applications they run using the AWS Identity and Access Management (IAM) system, as well as password protection of data.
The customer organization is also responsible for protecting its own systems and connections. This includes in particular
- Deployment and administration of security solutions such as multi-factor authentication;
- Regular software and operating system updates;
- The precise configuration of these security software ;
- Traceability of all users' activities;
- Selection of data to be put into AWS or not.
3# Tracking dormant accounts
Some 450,000 accounts are still active while their users have left... This study by Varonis shows that companies are not managing their access and users properly.
In the case of AWS or other cloud platforms, it is a priority to configure accounts to expire automatically after 90 days without any use.
An inactive account doesn't bring any benefits, but it does increase the number of vulnerabilities and opportunities to infiltrate a network or steal data.
