When news of the latest government data breach breaks, most will conjure up images of nefarious hackers exploiting networking vulnerabilities. For others, their thoughts may turn to agencies relying on aging IT systems that cannot withstand a legitimate fight against today’s cyberthreats.
However, there is a new breed of data breaches developing, aimed at the cloud storage buckets offered by Amazon, Google, Microsoft and other cloud vendors. These compromises take place when organizations alter rules determining who has access to shares or documents that open the door for unauthorized users to access data stored in cloud services.
These “leaking buckets” of data are a widely overlooked security risk that goes unnoticed until disaster strikes. It is time to acknowledge that achieving a quick transition to the cloud can no longer be prioritized over security.
The Perfect Storm of Vulnerability
Most IT professionals are familiar with the basic cloud storage structure: All of an organization’s cloud data is housed in “buckets” that are used to organize information and control access. Buckets cannot nest under one another like in a traditional file storage structure, and each must be assigned a unique name.
By default, bucket contents are private; however, those settings are changed for a variety of legitimate reasons such as providing customer or third-party access to data. Bucket privacy settings are also sometimes overlooked or misunderstood by personnel unfamiliar with the cloud landscape — a risky oversight, considering buckets that are configured as public can be accessed by anyone who has the link.
A staggering number of private- and public-sector breaches — including the U.S. Army, Pentagon and National Security Agency (NSA) — prove there is a fundamental disconnect between cloud security settings, bucket-identifier conventions and who is ultimately responsible for securing cloud data.
The crux of this cybersecurity epidemic lies in the fact that the cloud bucket namespace is global and publicly visible. When combined with misconfigured permissions and easily guessed identifiers, this creates a perfect storm of cloud data vulnerability.
Four Ways Agencies Can Secure Cloud Data
Implementing best practices for identifying data storage is key to keeping organizations off the radar of probing attackers. Security measures should also be in place to prevent access to cloud data storage through brute force or other attacks if discovered. Following are four foundational steps federal agencies should take to protect cloud data storage:
1. Add complexity: Make bucket names unguessable.
As with passwords, the longer and more complex bucket identifiers are, the better: Identifiers should be 64 alphanumeric characters or longer. Do not include the agency name, user IDs, email addresses, project names or other identifying information in identifiers.
2. Use tarpitting: Slow down attackers.
Discovering an agency’s cloud data storage location does not automatically equal compromise — successful access is still required. Often this occurs after many successive failures. Tarpitting security technology, which makes the time between attempts increasingly longer with each failed attempt, can prove a significant deterrent for hackers looking to quickly scan and access data."
3. Limit password attempts: Block brute-force attacks.
Through brute-force attacks, intruders deploy software that does the work for them by generating a large number of consecutive guesses looking for an identifier until one works. Establishing maximum failed attempts is an easy way to deter these types of attacks. If the maximum number of failed attempts is exceeded, a temporary block of all activity from this attacker could be employed to further restrict access.
4. Stay informed: Alert security personnel of problems.
It is much more difficult for an agency to gauge its security stance or detect public cloud buckets staff are unaware the organization is being targeted. Security software should be configured to alert security personnel of multiple failed password attempts in order to determine if the issue is more than just a forgetful user. The scale of government enterprise cloud storage often results in sprawling bucket systems and applying secure naming standards can represent just one of many challenges to organizing and managing cloud data.
To ease the burden, states should consider turning to solutions providers structured to meet the unique needs of federal organizations, whose cloud applications already integrate the strongest security industry’s best practices. State cloud data — much of it entrusted to the government by the citizens it serves — requires the utmost privacy and security protections available; only then can agencies fully unlock the transformative benefits of cloud implementation.
Jayne Friedland Holland is the chief security officer at NIC Inc. (Nasdaq: EGOV), the nation’s premier provider of innovative digital government and secure payment processing solutions for more than 6,000 local, state and federal agencies across the United States. You may reach her at firstname.lastname@example.org. More information about NIC is available at www.egov.com.