A few days ago, UpGuard published another release on the discovery of unsecured data from Facebook users on an Amazon Web Services S3 bucket. We’ve been talking about the problem of misconfigurations in the cloud, and this is another poignant reminder of that.
In UpGuard’s release, they cite the discovery of 2 separate exposures. The first was reportedly by a Mexican media company, Cultura Colectiva, which had approximately 540 million records located on an unsecured S3 bucket. The second exposure involved as many as 22,000 user passwords tied to what appears to be a now-defunct application company or developer referred to as “At the Pool.”
This announcement reinforces some takeaways we’ve hit on recently in separate blog posts and in our Naked Data white paper.
- Accidents and misconfigurations in the cloud that expose either data or applications to potential exploit will continue to be a problem. We refer to this as “Accidental Cyber Risk,” and the problem is as big or bigger than traditional “Intentional Cyber Risk,” such as a threat actor targeting your environment.
- Third-party risk management is critical, especially if even your customers could present risk to your organization by exposing data. It’s clear that the problem is by no means close to solved given the examples here.
- Companies that collect, analyze and redistribute customer/healthcare/cardholder and other data sets through partners, affiliates, subsidiaries, and even customers now have to consider that their risk of data exposure carries over into each and every one of those organizations.
Though it’s important not to overreact, it’s increasingly clear that organizations need to consider how Cloud Security Posture Management (CSPM) tools could be used to protect against both honest and negligent mistakes that happen, either by their own teams or by companies they work with.
At Armor, we see CSPM tools as moving toward and becoming “table stakes” for secure and compliant deployment in the cloud. These tools help to continuously assess your environment and assets against security and compliance policy, identifying and remediating “drift” from established policy and risk safeguards.
In addition, it may also be prudent to look at a CSPM solution to enforce adherence of a larger entity’s security and compliance policy on partners, suppliers, affiliates, and some customers in the future as a way to address risk in a more transparent way.