In early August, a security researcher was following his regular routine for hunting down sensitive information published online when he discovered a file with the suspicious name of ‘verizon-sftp’. In the petabytes of data generated on the Internet each day, there are many nuggets of unsecured and highly confidential information that are published due to mistakes or weak security practices. Much of this data can be discovered without any hacking skills, it’s simply sitting there waiting to be found. In this case, the researcher was using a specialized search engine to find websites with open networking ports such as file transfer protocol (FTP) that are associated with data hosting.
The researcher’s data find turned out to be very significant, including gigabytes of logs of customer support interactions including names, cell phone numbers, and pin codes of Verizon customers. The exposed server was managed by a company, Israel-based NICE, that provides outsourced customer support for enterprises such as Verizon. Following proper protocol, the researcher privately notified both Verizon and NICE about the exposed server and gave them a chance to fix the situation before he went public. While there is no evidence that the data was ever used maliciously, it’s certainly possible that someone else could have discovered and surreptitiously downloaded it.
The Verizon incident highlights how the increased efficiencies of cloud architectures can also expose companies to significant risks. The ease of uploading data to the cloud makes it possible to accidentally publish data to a larger audience than intended.
In many cases, these security breaches begin with good intentions. Imagine a lone IT worker who is assigned a task to share a file with a person at another company. For the IT worker, a quick and easy solution is to use their personal AWS account and get the job done in 10 minutes instead of waiting a week for the security team to set up an official file transfer box. They can even skip setting up login credentials by making the file publicly accessible to anyone who knows the link. In the IT worker’s thinking, the solution is relatively low risk because file access can be removed immediately afterward. The problem occurs when a worker forgets about the file or has some reason to leave it there indefinitely. The file might sit there for years until it's accidentally indexed by a search engine or discovered by someone searching for specific file types.
A dramatic example of the insecure cloud came to light recently due to an outsourcing contract by the Swedish government to IBM. The outsourcing agreement involved IBM taking over a transport ministry database that contained sensitive information about Swedish drivers, notably including the home addresses of thousands of drivers who were living with protected identities. This sensitive database had been uploaded to IBM’s cloud hosting and was managed by numerous people across multiple countries who had never received a proper security clearance. To make matters worse, the database was sent by unencrypted email to a list of marketing companies so it could be used in direct marketing campaigns to Swedish car owners. When discovered, this incident resulted in the firing of the Swedish transport minister.
There are lessons to learn from both the Verizon and Swedish transport ministry incidents. One point is that care should be taken when entering an outsourcing agreement that includes hosting in someone else’s cloud. Outsourced firms should be held to high security standards that are enforced through a combination of documented policies, audits, and financial penalties for security breaches.
Despite the risks, the use of cloud hosting won’t slow down and shouldn’t be discouraged. The cloud is a fantastic innovation that brings great benefits for organizational efficiency. The cloud can also greatly improve an organization’s security posture through the automation of backups, logging, auditing, software patches, code deployments, and much more.
Here are some basic security precautions that can be taken to protect against accidental or deliberate exposure of data in the cloud:
- Encrypt all sensitive data and create policies to only allow decryption under specific circumstances. This single security measure would have minimized the impact of both the Verizon and Swedish transport ministry data exposures.
- Provide cloud security training to anyone who has access to sensitive data. Make this a part of the process of onboarding new workers, both in-house and out-sourced.
- Turn on any auditing capabilities for cloud hosting providers, for example, by configuring an alert that fires when files are shared publicly.
- Try to reduce barriers for workers to get their jobs done. There is a time and place to be agile and fast moving, and a time to be methodical and careful. If the official IT team has a reputation for being overly restrictive, it’s likely that someone will try to get around it by setting up their own cloud.