What’s the Matter with S3?

Public cloud breaches are becoming more frequent. Can anything be done?

By Adam Conway

Another week, another story about how data stored in the public cloud has been stolen or left unprotected. This week it was the account PINs of 6 million Verizon customers. Last week it was 198 million American voter records—99% of the enrolled populace—found to be publicly accessible on an Amazon S3 server. The week before that, 60 thousand government files—28GB of Department of Defense data—sat unencrypted and unsecured on another S3 server. This is a big deal.

It’s not only the quantity of data, but it’s also what it includes. In the case of the former, nearly a dozen passwords granting Top Secret clearance, along with login and security credentials, were lifted. For the latter, birth dates, home addresses, phone numbers, and predictive preference data used to track hot button issues like abortion, gun ownership, and religious affiliation were compromised. The next loss is not a matter of if, but of when.

The Cloud Should be Handled with Care

There’s no doubt what a boon the cloud has been to enterprise and government. Previously, developing and deploying applications was a long and complex process. Today, enterprises can move with much more velocity by leveraging the self-service infrastructures set up through Amazon, Google, Microsoft, and others. With self-service, we get better agility but assume higher the risk.

This is not to say the cloud itself is insecure, in fact, is quite the opposite, rather, the security practices of enterprises have not adjusted to the nature of the cloud. In the cloud the security perimeter is at the resource (e.g. object, server or disk) rather than at the network gateway – This means that every piece of data, server, and service needs to be separately secured and controlled. This leaves lots of room for error or even worse malicious insiders. All it takes is a quick skim of the headlines for one to wonder how the enterprise will contend with the promise of the cloud and the near surety of compromised data.

Control Without Compromise
With these S3 breaches there are a series of good solutions – most notably is a strong “separation of control” process. This means that a developer that has rights to store data use and manage the data, does not have the rights to set the security level for that data. In addition, most organizations that use S3 also utilize encryption, policy and network controls to further secure the data.

However, piecing together these solutions adds significant operational overhead to manage accounts, write IAM policies and find vendors to add each security level amount of overhead to the process, with security sometimes taking precedence over the application itself.

Let’s Get Technical
There are technologies today to address these needs while enforcing separation of duties. The best start with a core principle: isolate all data in the cloud—from providers, from other tenants, from bad actors. This is best accomplished not by relying solely on a provider’s security or even encrypting data at rest, but by encrypting S3 traffic in route prior to transmission but also transparently to the user. The result? Even if data resides in a container labeled “public,” it is rendered unintelligible to any viewer without the appropriate keys. Since S3 is data-at-rest transmitted over an IP network both network and data controls need to be in place

Second, ensure the separation of duties between IT and developers. The latter should be able to work unencumbered by security processes, while the former exists to provide a single set of security policies across all deployments. The ideal solution is transparently elegant

Last, make sure it cannot be turned off or bypassed. Today’s best solutions prevent even those with root access from disabling safeguards, ensuring security always remains in place.

Getting Back to Business
Enterprises have always had to contend with managing their own security; this was easier and afforded more control when data was stored on-premise. Now, they must continue to provide security, only in much more complicated and demanding circumstances. This is not conducive to the aims of most businesses, nor is it likely to become part of an organization’s mission statement (“We endeavor to secure our users’ data while selling them an exclusive travel experience,” etc.). But that doesn’t mean the cloud can’t be used effectively.

The ready solution to human error and malicious activities requires turning security—all of it—over to IT or operations, where it belongs. It simplifies and speeds the task at hand, it enforces separation of duties, and it secures data regardless of location or service provider.

Now, can we all get back to work?

About the Author
As Bracket’s VP of Product Management, Adam Conway brings extensive experience across Enterprise Security, Networking, Mobility, and Cloud. A veteran of Aerohive Networks, where he served from foundation through IPO as VP of Product Management, he defined the initial controller-less wireless LAN product offering, helped bring the company to the cloud, and oversaw product roadmap and vision through myriad product iterations.
Prior to Aerohive, Adam managed the low- and mid-range firewall offerings at Netscreen and remained at Juniper through the acquisition to grow that business threefold in three years. Adam started his career at Cisco Systems as an engineer in both the secure routers and IP Telephony divisions. Adam holds an MSE from Stanford and a BSME from Santa Clara University with a minor in Fine Art.