by Chris DeRamus, CTO, DivvyCloud
In 2018, misconfigured AWS S3 servers accounted for multiple data breaches across a wide span of industries from companies including Voxox, Pocket iNet, Arik Air, and the Tea Party PAC. In 2019, organizations continue to suffer breaches of millions of records, due mostly to misconfigured Elasticsearch servers. Voipo lost 6.7 million documents containing call log information, 24 million banking and mortgage documents from Ascension were compromised, a Dow Jones list of 2.4 million high profile individuals was left publicly accessible, and Gearbest exposed over 1.5 million customers’ personally identifiable information. These are just a small handful of companies that have suffered significant losses from misconfigurations in the last few months alone.
The repercussions of data breaches are immense. While the majority of recently misconfigured Elasticsearch servers have been discovered by white hat security researchers, servers that are exposed for excessive periods of time can easily be found and exploited by cyber thieves as well. Suffering a data breach, whether discovered by an ethical or malicious hacker can result in the loss of user trust, damage to the company’s brand reputation, lawsuits or fines levied against the company from data privacy regulations, decreased stock price, or even lower revenue.
With such potentially devastating consequences, one may wonder why so many companies continue to allow misconfigurations and resulting data breaches to occur. A few primary factors contribute to misconfigurations being so rampant.
First, enterprise cloud migration has been led by developers and engineers, not corporate IT teams. These developers and engineers, eager to take advantage of the speed and flexibility the cloud offers, can unknowingly put their company’s data at risk as they either have not been taught proper security hygiene, or they bypass the appropriate protocols in the name of speed and innovation. Today, 3,000 people are actively deploying applications and making engineering changes to infrastructure and are pushing production deployments on an hourly basis. These continuous integration and deployment approaches lead to massive infrastructure, mixed with a large number of users, and changes happening all at once. This, in turn, leads to loss of control and a self-service bypass that avoids the lessons learned from IT in the traditional data centers.
Second, most companies still rely on manual configurations by people, and humans by nature, are prone to error. The rate of change and the dynamic nature of software-defined infrastructure has outstripped human capacity; and enterprises need to be able to deal with faults in real-time. If companies get a list of a thousand problems, even with 100 people tasked with resolving them, problems either disappear, move, or are replaced with even more significant issues. Enterprises need to be able to deal with faults in real-time.
Lastly, it is very challenging for IT professionals, developers, and engineers to configure these powerful services in a way that mitigates security and compliance risk. Many IT leaders and professionals make the mistake of approaching security in the cloud the same way they approached security in a traditional data center. Migration to the cloud has led to an explosion in resources yet the number of people managing the security of those resources hasn’t increased.
To overcome these challenges and prevent misconfigurations and resulting data breaches, companies must enforce a full cultural shift in their IT departments and adopt security automation. Automated cloud security solutions give organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time. Automation also grants enterprises the ability to enforce policy, provide governance, impose compliance, and provide a framework for the processes everyone in the organization should follow — all on a continuous, consistent basis. As part of the adoption of automated security, organizations must change the culture of their IT departments. Developers and engineers will need to learn to build and deploy applications within the guardrails the company has provided. It’s also important to keep in mind that these misconfigurations are fairly simply problems with potentially disastrous consequences. For example, a developer may have tweaked the configuration of a resource, leaving it open to the public, and as the application began working again, moved on to another project. Now they have an exposed Elasticsearch server. It may not have even been the developer’s fault, as someone else may have altered the configurations at a later date for any number of reasons. The point is, so many organizations are made vulnerable because a lot of them don’t have processes that prevent insecure software deployments. The right automated solution will ensure the end of the “wild, wild west” DevOps culture that has resulted in so many misconfigurations and other security risks. This will allow companies to maintain the integrity of their technology stack, apply the policies necessary to continue business operations, and enabled developers to remain agile and innovative, without compromising security.
Automated cloud security solutions are able to detect misconfigurations that Voipo, Ascension, Gearbest, and Dow Jones have all suffered. Proactive detection and remediation of these vulnerabilities likely would have saved these companies from significant financial costs and damaged brand reputation resulting from their data leaks. These solutions are essential to enforcing security policies and maintaining compliance across the large-scale hybrid cloud infrastructures these organizations boast.
About the Author
Chris is the co-founder and CTO of DivvyCloud where he leads the engineering teams while driving new innovation. Chris is a technical pioneer whose passion is finding innovative and elegant new ways to deliver security, compliance, and governance to customers running at scale in hybrid cloud environments. He keeps his hands dirty and spends much of his time writing code and diving deeply into the latest technologies and services being deployed by partners like Amazon, Microsoft, Google, VMware, and OpenStack.
Before co-founding DivvyCloud, Chris was the Online Operations Manager at Electronic Arts for the Mythic Studio where he helped design, build and operate large scale cloud infrastructure spanning public and private clouds to run Electronic Art’s largest online games (including Warhammer Online: Wrath of Heroes and Warhammer Online: Age of Reckoning). He started his career as a Network & System Administrator at the U.S. Department of Energy where he was mandated with a broad array of technical responsibilities including security and compliance.
Chris earned his Bachelor of Business Administration in Computer Information Systems from James Madison University.