In May of this year, it was reported that a misconfiguration in an Amazon S3 bucket allowed the Magecart cartel to compromise over 17,000 domains. This attack was but one example of many over the past few years. Although errors in the configuration of the relevant business logic settings allowed access to these repositories of information, the recent data leaks point to a larger problem: without the veneer of protection that AWS’ encryption at rest provides, these organizations’ data was almost completely exposed.
Cloud storage offers flexibility and scalability to enterprises, but also presents a series of security challenges. The accidental release of information is just one of the myriad risks organizations can face as they move away from on-premises data centers. Outsider attacks from cyber criminals are another. Malicious insiders – whether working as actual employees or administering an organization’s cloud storage – potentially represent the most dangerous threat.
Accidents are bound to happen. A dedicated attacker with sufficient resources will always be able to breach any network, and trusted individuals can wreak havoc on an organization. Faced with these realities, enterprises need to do more to protect themselves against these eventualities by using a failsafe measure. As companies “race to the cloud,” they should ensure they use the gold standard of data protection to safeguard their critical information stored there: end-to-end encryption.
Leaky Buckets In The Cloud
Information stored in plaintext format – almost all enterprise data – is extremely vulnerable to both theft and accidental loss. One recent estimate suggests that over 95% of the 7 billion records breached since 2014 were not encrypted at all, and a string of accidental exposures of corporate information in AWS “buckets” indicates that this lack of effective encryption remains the norm. The following recent events highlight the broken status quo:
- At the end of November 2018, the Marriott breach revealed that more than 5 million unencrypted passport numbers, were stolen.
- At the end of May 2017, a cybersecurity research company found that a major government contractor had accidentally made sensitive data publicly accessible, including unencrypted employee passwords.
- In mid-June, the same researchers discovered approximately 198 million records of American voters – including information such as their phone numbers and home addresses – stored in a publicly viewable format.
- The following month, another security expert found that a database of three million World Wrestling Entertainment customers – which included their educational levels, addresses, and incomes – was exposed for the whole world to see.
- In July, Verizon confirmed that one of its partners had made a similar mistake with the call records and other details of six million of it customers.
- In yet another potential leak due to a configuration error, Dow Jones announced later in the month that at least two million of its customers’ identification numbers and physical addresses were viewable to anyone with access to the AWS environment.
Encryption at Rest: Better Than Nothing, But Not Nearly Enough
Encrypting at rest the data exposed in these episodes might have safeguarded the underlying information; accidentally exposing encrypted records to the internet would not have been nearly as damaging as making them available in legible form. Unfortunately, encrypting information at rest when the requisite decryption keys are stored nearby can create a false sense of security. As evidenced by the aforementioned incidents, cloud providers can essentially turn such encryption on and off with the figurative “flip of a switch.”
In addition to making accidental data exposure easier, encryption at rest as implemented by most providers does not completely protect against hackers. The AWS cloud uses the common 256-bit Advanced Encryption Standard (AES-256), which is essentially unbreakable by publicly known methods. Thus the risk of hackers cracking modern encryption algorithms is not the primary threat to enterprises. Lost or stolen keys to the underlying data, however, are a different story.
In most cases, trusting a service provider (or even a systems administrator working for your company) to protect your information by encrypting it at rest is akin to letting someone use his own lock and key to secure a vault holding your valuables. Approximately 37% of enterprises do exactly this, giving cloud providers complete control over encryption keys to their data, according to an early 2017 study. In this model, you rely on the integrity and competence of this third party to defend against both outsider and insider threats. If your provider loses track of the keys or someone steals them, your data is vulnerable.
While major technology companies might seem to be good stewards of these keys, with nearly impenetrable cyber defenses, this is unfortunately not the case. Hackers made off with the account details for over 60 million Dropbox users in 2012. Attackers managed to steal account information for more than one billion Yahoo users in 2013. AWS proudly offers centralized encryption key stores, which themselves offer single points of attack for hackers. Such a repository would be a gold mine for malicious actors, as breaching it could help unlock the entirety of a company’s data.
Centrally administering encryption keys within organizations is no better. A 2016 report found that an incredible 54% of information technology security professionals admitted to not knowing where all of their encryption keys and certificates are located, who owns them, or how they are used. With the recent spate of accidental data exposures, it is quite easy to imagine employees accidentally losing track of the keys required to unlock information, along with the information itself. Furthermore, even major companies like Microsoft have provided administrator accounts – which often manage encryption keys – blank passwords by default. A hijacked administrator with access to a centralized key repository could easily unlock massive amounts of corporate data.
The Way Forward: Easily Implemented End-To-End Encryption
The solution to these problems is end-to-end encryption. This security technique encrypts information at the start of its journey and only deciphers it upon arrival at the device of an authorized recipient, never at any intermediate point such as a cloud storage provider. Furthermore, properly implemented solutions should only maintain encryption keys locally on user devices; not centrally consolidate them with a cloud provider or inside an organization. Using these best practices can prevent embarrassing accidental leaks of plaintext corporate data while also defending against hackers trying to exploit a central point of attack.
The risks of failing to secure an organization’s data are immense, but there is good news: properly encrypting corporate information can save $385,000 per breach, according to a recent study. What’s more, a new generation of secure, easy-to-use, and competitively priced end-to-end encrypted solutions is now coming to market. These cheap and effective tools can help organizations secure their sensitive data – and that of their customers – while still providing easy access to appropriate stakeholders through innovative security features. Leaders of all organizations moving to the cloud would be wise to implement them now.