Battling cloud breaches requires a new type of 'privilege'
Cornerstone Payments Systems recently suffered a data breach, potentially exposing 6.7 million payment records, as anyone with an internet connection had the ability to access this sensitive customer data.
In the payments industry, the ability to demonstrate proficiency in securing sensitive data is critical – and most processors will not be able to afford the reputational hit that comes with a public leak or breach.
To many people, what happened with Cornerstone Payment Systems may seem like an entirely avoidable breach of security, but the unfortunate reality is that breaches like this are now commonplace.
As enterprise infrastructures have become increasingly complex, exposed or misconfigured cloud databases have emerged as the leading cause of data leaks. These types of leaks have left thousands of gigabytes of sensitive data exposed in recent years. Whether it’s an ElasticSearch server, an Amazon S3 bucket, or another one of the thousands of resources in the cloud that can create opportunities for leakage, we’re seeing misconfigurations that expose sensitive data disclosed publicly on a weekly – if not daily – basis.
For the most part, these types of leaks do not occur because malicious actors are targeting the data in question: They happen because of simple but costly mistakes.
The most effective way to avoid these types of accidents is by implementing a Principle of Least Privilege policy. It is fundamental to the prevention at the first approach, and this approach is critical – especially for cloud infrastructure.
All cloud providers are touting this as the top priority, so much so that at the recent AWS re:Invent conference stated that it is one of the top priorities for all organizations. Companies that have turned to the cloud today don’t have the tools required to achieve and maintain the principle of least privilege across multiple, complex and vastly different cloud platforms. Organizations often think that legacy tools can help them, but it’s not the case.
We are not going to see an end to the proliferation of cloud resources across enterprise infrastructures any time soon, so the onus is on us to guard against unintended access to sensitive data. That starts with getting complete visibility into any identity – human or non-human – within your organizations that can touch your infrastructure and potentially expose data either accidently or with malicious intent.
Managing the permissions of those identities at the finest level of granularity is fundamental to mitigating these risks. That means going back to one of the basic principles of good security – continuous and automated enforcement of the Principle of Least Privilege across all cloud platforms.
It’s a task that cannot be done manually given the sprawl and complexity of cloud resources. Cloud infrastructures will continue to get more and more complex, and organizations will be susceptible to these types of leaks until they introduce automation into their strategies to better see and remediate cloud storage misconfigurations.