DATA DISCOVERY: DATA IS EVERYWHERE, KNOW AND PROTECT YOUR DATA
Digital evolution is driving net new challenges for data security. In this rapidly evolving digital world, data is not clearly defined, structured or secured. Today’s businesses continue to be agile and adapt new technologies, like cloud services, to meet the demands of customers. While collecting, storing and protecting data might look like standard operating procedures in legacy environments, businesses often overlook proper data safeguards in the new technology world, especially in the case of non-critical data.
When the organization sees you as its data protector, it is important to understand that any data is not transient, and it can be transformative. Data—big or small—may have less value unless you know how to use or act on it. In today’s world, new products can take pieces of data, transform it and create new actions and opportunities, both in good and bad ways.
NEW DATA LOSS VECTORS IN PUBLIC CLOUD – AWS S3 BUCKETS
In enterprise datacenters, generally provisioning and managing storage systems is a complex task. Public cloud offers a simple and easy way to store data with various storage service offerings. With the dissolution of traditional boundaries, as organizations move to the cloud and the volume of data continues to grow, it’s a daunting task to know where the data is and how to protect it. During the process of moving data from an on premise datacenter to cloud, or using cloud storage services to store new data, IT teams can overlook and be blindsided by cloud data loss vectors.
With easy cloud consumption models, IT teams may not ask themselves, “What are the adequate or appropriate data protection or data security controls?” One way to approach this cloud world is to first think precisely and clearly about how to protect the data, unlike the past era where the goal was to protect infrastructure. The recent Amazon S3 bucket misconfiguration incident has bought special attention to these type of data exposures in cloud, as it adds to a growing list of other AWS S3 bucket data exposure cases like Verizon, Pentagon, Republican National Committee, WWE, and FedEx.
HOW TO PROTECT DATA IN AWS S3 BUCKETS
The mindset of locking up data in infrastructure is gone. Data needs to be flowing to create value. So sensitive data is going to be everywhere. As organizations rely on easy cloud storage services, like S3 buckets of AWS, having the right solution to protect and prevent data loss is an important part of any cloud security strategy.
The list below outlines the most important steps to effectively operationalizing native AWS S3 security controls. Most important is having a centralized way to inventory existing S3 buckets with the ability to constantly scan and discover new buckets as they are created. Second in importance is the ability to create and enforce policies for those buckets.
- Inventory of public buckets
- Set appropriate ACL bucket permissions and policies
- Enable encryption
- Enable server access logging
- Enable object-level logging
Having a recommendation engine that looks for open buckets, and recommends appropriate controls or IAM permissions is basic first step.
Autonomous Way to Classify S3 Buckets and Data
Classifying S3 buckets and stored data based on sensitivity (personally identifiable information or intellectual property) and tracking data access needs and data flow can help bring visibility and reveal dependencies of these data sources. Amazon Web Services has a service called Macie that helps implement data-centric compliance and security analytics in Amazon S3 environments. You may want to consider integrating Amazon Macie with content fingerprinting if you want to organize and catalog data stored in S3 buckets.
Another way to protect data is to obfuscate the S3 bucket names and randomize the naming convention to make it harder to simply interpret the buckets and to which organizations they belong.
While in this post, I have specifically delved into AWS S3 buckets for simple storage service, many organizations operate in a true multi-cloud state and will embrace various public and private clouds. In this case, organizations should consider using a comprehensive solution as part of their data security strategy.
TRACK DATA FLOW AND TAKE ACTION
As a data protector, you have to know where the data is, who has access to it, and how to ensure the flow of the data is secure. This may be more of a business issue than a technical issue that needs to be addressed with proper governance and participation in combination with implementing the right technology solutions that prevent data leaks.Tags: AWS S3 Bucket, cybersecurity, data exposure, Public Cloud Security