When we think of the public cloud, we immediately think of Amazon Web Service. The American giant is the undisputed leader, with a 39% market share in the third quarter of 2019. This dominance attracts hackers. And in many cases, they get their hands on a lot of poorly secured data. Various measures need to be put in place to reduce these risks.
The more companies integrate the cloud into their information systems, the more it becomes a preferred attack vector. "By 2022, 95% of security vulnerabilities in the cloud will be attributable to customers," warns Gartner.
Hosting security issues
The issue of security in the cloud is based on two observations. Firstly, there is a shortage of talent. Workloads are migrating to the cloud. But the difficulty remains the same: companies are struggling to recruit qualified profiles for their SOCs (Security Operations Centers), incident response and forensic analysis. Whether your IT environment is on-premise or in the cloud, it's the same thing: there's a real skills gap.
The logical consequence of this first observation: organizations are doing a poor job of securing data in the cloud. And yet, for many companies, security in the public cloud is synonymous with data protection in the bucket (S3) of Amazon Web Service storage, the undisputed leader.
Amazon Web Service publishes numerous guides and training sessions to improve the confidentiality of data hosted in its datacenters. But clearly, not everyone is taking advantage of these to improve their expertise. Their reasons are certainly justified, but it has to be said that S3 security is still too often taken lightly.
Safety settings
In 2018, Italian cybersecurity researchers identified some 240,000 S3 buckets. The results were unflattering for businesses: around 14% (some 34,000) were publicly disclosing their contents! Since then, Amazon has increased the number of default security settings, which has probably significantly reduced the unintentional exposure of S3 buckets' content.
But that's not enough. We recommend applying a few basic rules and avoiding configuration errors. Within AWS, one of the main causes is the misconfiguration of S3 buckets. In general, this is due to the fact that bucket permissions are mistakenly set too low, allowing, in the worst-case scenario, the contents of a bucket to be accidentally exposed to unauthorized parties or the whole of the Internet.
The first rule is to develop a holistic mindset that incorporates the evaluation not only of permissions for S3 buckets, but also of their data security policies in general.
Configure access
By default, when you set up an S3 bucket, it is private. Permissions must be created to explicitly allow access. The best practice is not to modify the bucket, unless you want to create a public one. In this case, be aware that even if you limit public permissions to read-only, you're exposing your organization's data to greater risk than necessary.
If you need to provide access to your recycle garbage can, use your access control lists to grant authorizations to groups or individual users (via their ID) at the recycle garbage can or object level. This is nothing less than applying the principle of least privilege and ensuring perfect partitioning.
Coding and more coding
Default encryption" will be automatically applied if an uploaded file does not explicitly specify encryption. A bucket can also be configured to block the transfer or download of unencrypted files. Please note that there are three types of server-side encryption for S3 objects. Of these, SSE-KMS is the recommended method, with Amazon Key Management Service (KMS) keys applying an additional layer of security.
Automate monitoring
Often understaffed, corporate security teams are unable to monitor an IT perimeter that continues to grow with the development of telecommuting and the cloud. It is therefore essential to rely on solutions capable of automatically monitoring and detecting the slightest vulnerability in the cloud, and in particular in S3 buckets.
Amazon offers CloudWatch, which can detect abnormal behavior in your environments. There are other solutions that can complement this service. Again, automation is not intended to encourage security teams to adopt a hands-off approach to cybersecurity. Among other things, it enables them to concentrate on incident management and the analysis of weak signals.
Generally speaking, applying the zero-trust model to the cloud involves a number of best practices. Using a secure cloud access gateway is also highly recommended. Known as Cloud Access Security Brokers (CASBs), these gateways effectively secure all data residing outside a company's perimeter. And manage the movement of sensitive data, without compromising the user experience.
