The movement to the cloud means access to data anywhere, enhanced data recovery, flexibility for collaboration, and less of a burden on IT staff. But, while cloud providers boast that their storage services — or “buckets” — offer added application security, they have also consistently proven vulnerable.
A bucket is a virtual storage unit provided and partly maintained by a cloud services provider. Much like a file folder on your computer, buckets store data in place of on-location IT infrastructure. As cloud computing has become increasingly popular, bucket breaches have exposed millions of records to the public Internet. The good news: most cloud bucket vulnerabilities are due to misconfiguration and are manageable with appropriate attention to detail.
Since 2004, there have been 11,000 US data breaches. Organizations affected include Verizon, Accenture, Home Depot, Yahoo, Capital One, LinkedIn, and the Pentagon. These breaches left contact information, account passwords, credit card numbers, private photos, and more exposed.
While buckets are private-by-default, plenty of buckets are for public use and reconfigured for that purpose. But in the process of adjusting the bucket’s configurations comes the greatest risk to your cloud security. Enumeration of different cloud services has frequently found buckets granting read-only or full admin privileges to general platform users or anyone online. Missing just one security checkbox for your organization’s cloud can open the door to any bad actor.
Also Read: Top Vulnerability Scanning Tools
Gartner reports that by 2024, more than 45% of IT spending on infrastructure, application software, and business process outsourcing will shift from traditional solutions to the cloud.
This increasing investment and reliance on cloud technology means that targeting misconfiguration for users isn’t going away. Through a shared responsibility model, cloud providers are only responsible for the security of their cloud infrastructure—everything you put into the cloud is your responsibility.
Cloud vendors have been criticized for not emphasizing the risk of misconfiguration and cloud bucket vulnerability, but the primary culprit continues to be user error. Gartner also predicts through 2025, 90% of organizations that fail to control public cloud use will inappropriately share sensitive data, and 99% of cloud security failures will be the customer’s fault. No matter the provider, misconfiguration is frequently rooted in identity access management (IAM).
Also Read: What is Cloud Access Security Broker (CASB)?
In 2020, three cloud providers made up 57% of the cloud market share:
- Amazon Web Services (AWS) Simple Storage Service or S3
- Microsoft Azure’s Blob Storage
- Cloud Storage for Google Cloud Platform (GCP)
Whether you currently use one of these industry staples or are looking at the transition to cloud computing, recognizing vulnerabilities to your cloud bucket security and the action steps needed to resolve them is invaluable.
Amazon Web Services (AWS)
Since 2006, Amazon Web Services (AWS) has been the leading provider of cloud computing services. Common misconfigurations for S3 buckets include adding sensitive data to an incorrect bucket or a public bucket or incorrectly setting bucket and object permissions. AWS has been criticized for its “any authenticated AWS users” access option and inconsistent access control list (ACL) and bucket policies.
Like other cloud vendors, AWS S3 buckets can be readily available online for users and potential bad actors. In the last year, vpnMentor’s research team has uncovered multiple data leaks from AWS S3 buckets. For UK-based CHS Consulting, they found passport scans, tax documents, background checks, job applications, and salary details. For Canada-based Data Deposit Box, 270,000 private files including personally identifiable information (PII) like login credentials, IP addresses, email addresses, and data descriptions were exposed.
Solutions offered by AWS include monitoring your S3 buckets using AWS Config, building your S3 monitoring solution with AWS CloudTrail or Lamda, command-line testing with S3 Inspector, AWS IAM, and the AWS Trusted Advisor tool. AWS offers several considerations for preventative security practices for S3 buckets.
In 2020, Microsoft Azure celebrated its tenth anniversary since joining the cloud environment marketplace. Common vulnerabilities for Azure blobs involve misconfigurations with role-based control access (RBAC) and multi-factor authentication (MFA), encryption for data at rest, activity logs, network security groups (NSGs) with overly permissive rules, and unintentionally exposing resources to the public.
In 2019, misconfigured blobs exposed 250 million records to the public for 25 days before Microsoft resolved the misconfiguration to restrict the database and prevent unauthorized access. Earlier in the same year, unsecured blobs for the UK-based Tesco parking app potentially exposed millions of time-stamped number plate images across 19 Tesco car parks.
Azure is highly configurable by design leaving room for user error. Microsoft notes, “Misconfigurations are unfortunately a common error across the industry… As we’ve learned, it is good to periodically review your configurations and ensure you are taking advantage of all protections available.”
Microsoft offers several security recommendations for Azure regarding data protection, IAM, networking, logging, and monitoring. Azure Active Directory (Azure AD) also offers added security and ease of use for blob authorization.
Google Cloud Platform (GCP)
The Google Cloud Platform (GCP) was founded in 2008 and has since seen Azure surpass their market position. GCP is vulnerable to mistakenly granting ‘allUsers’ or ‘allAuthenticatedUsers’ access to their bucket, exposing data to anyone online or Google users. Like AWS, moving objects between buckets or placing buckets under bucket folders with different configurations could put your private data in a publicly available bucket.
In an enumeration of Google Cloud buckets in 2020, the CompariTech cybersecurity research team found 131 (~6%) of 2,064 buckets were vulnerable due to misconfiguration. The more than 6,000 documents uncovered included passports, birth certificates, and personal profiles. In 2019, One GCP breach of 1.2 billion records exposed a mass database of social media profiles, 50 million unique phone numbers, and 622 million unique email addresses.
To mitigate the risk of a breach, secure your organization’s IAM permissions and policy, utilize GCP virtual private cloud (VPC) service controls, and encrypt your storage objects. GCP offers various recommendations for security considerations relating to transport layer security, local file storage, access control lists, proxy usage, encryption at rest, data privacy, and measurement data.
When managing your cloud infrastructure, relying solely on security pre-configurations or ignoring your bucket for lengths of time can be a recipe for disaster. If you are storing sensitive data in the cloud, additional steps to protect your network security are essential. An evolving cloud ecosystem requires IT professionals to actively follow trends and take action to preserve your organization’s cloud bucket security.