Data breach, cloud and autochecks

You probably have heard of the last data breach in Capital One and the fact that was due to an incorrect permission set on an Amazon S3 bucket.

While everybody is finger pointing to Amazon, unfortunately this is mostly due to people that are not giving the right attention to configure things in a secure way. These are the same people that in early 2000 were leaving apache configured with “+Indexes”, which leads to disclose all the files in a web server.

While a mistake in a web server can go a little more unnoticed, cloud amplifies everything. Mistakes such as the one done by Capital One are easy target of malicious people. But I guess is easier to blame someone else than thinking secure in the first place.

In a premier global manufacturing company we implemented multiple checks that are able to reduce these risks. Every time an S3 bucket is created or modified, a Cloud Trail event is fired and sent to our central logging system. If a bucket or an object is created as public, we fire an alert and we check if the bucket was pre-authorized to be public. We have a whitelist of public buckets, so we immediately understand if this was a mistake and we trigger a remediation.

We implemented a set of tools that are able to detect those kind of configuration mistakes across all the clouds we have deployed.

Infrastructure are changing and so is security. People is still thinking that a firewall is protecting them, but we all know we have to do our best to ensure high security standards.