Modernizing Authentication — What It Takes to Transform Secure Access
Time and again, one research outfit or another will "discover" a breach of sensitive information by simply looking for private information that is left unsecured on the Amazon Web Services (AWS) public cloud.
Just yesterday, the personal data on 1.8 million Chicago voters was exposed online, joining many other groups that have done the same thing. In July, information on 6 million Verizon customers was publicly posted on a cloud server, and in June voter information from the Republican National Committee were exposed.
Amazon is nothing if not responsive to market demands, and this week announced a series of efforts that will solve unsecured public data challenges.
The AWS Config service now has a pair of simple rules that organizations can choose to apply before data is posted to an S3 storage instance. AWS Config rules now enable organizations to block public read and writes to S3 storage instances.
The new rules are:
s3-bucket-public-write-prohibited – Automatically identifies buckets that allow global write access. There’s rarely a reason to create this configuration intentionally since it allows unauthorized users to add malicious content to buckets and to delete (by overwriting) existing content.
s3-bucket-public-read-prohibited – Automatically identifies buckets that allow global read access. This will flag content that is publicly available, including web sites and documentation.
In addition to the AWS Config rules, which require a human to make a decision and click a box, Amazon also introduced the AWS Macie service, which uses machine intelligence to automatically detect sensitive content in public AWS data repositories.
"Amazon Macie is a service powered by machine learning that can automatically discover and classify your data stored in Amazon S3," Tara Walker, technical evangelist at AWS, wrote in a blog post. " But Macie doesn’t stop there, once your data has been classified by Macie, it assigns each data item a business value, and then continuously monitors the data in order to detect any suspicious activity based upon access patterns."
With Macie and the Config rules announced this week Amazon has now made it significantly easier to avoid unintentionally leaving personally identifiable information exposed on the public cloud.
Certainly there are still going to be so-called "breaches" where security vendors and researchers find exposed information, but Amazon's efforts this week will hopefully mean that there will be fewer such instances than ever before.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.