Last week, news broke of yet another high-profile cloud data breach. A security researcher found an unsecured database owned by a marketing firm, Exactis, containing extensive personal data on 230 million US consumers. Since the US population is 326 million and 22.6% are under the age of 181, this database essentially included information on nearly every US consumer. While the data did not include social security numbers or credit card data, it did include extensive personal details such as smoker/nonsmoker, religious preference, whether they own a dog or cat, and so on. Such information could be used by bad actors to impersonate people in sophisticated phishing attacks. Exactis have since secured the database, although this incident underscores why security is a top concern for enterprises in the public cloud.
How was the data found?
The security researcher programmatically searched publicly addressable IP addresses for unsecured Elasticsearch domains, finding approximately 7,000 such databases, including the Exactis Elasticsearch domain containing 340 million records on 230 million US consumers. Such a programmatic search is hardly novel or complex. In fact, bad actors are already using automation to scan the public cloud for unsecured data. To illustrate the point, BMC recently intentionally stood up an unsecured database, to see how long it took to be attacked. 2 minutes. It took all of 2 minutes for an attack to ensue. Therefore, one can, and should, reasonably assume that bad actors are in possession of the Exactis data. Stated another way, bad guys now know more about you than most of your Facebook friends.
How can I protect my business’ cloud data?
The public cloud is NOT inherently insecure, but enterprises do not always use it securely. If a cloud service, such as Elasticsearch, has configuration settings, it is the user, not the Cloud Service Provider, who is responsible for configuring it so that it is secure. Some organizations do not understand this, others simply inadvertently misconfigure their cloud resources. Misconfigure? How can this be?
If cloud security was simple or easy, there would not be so many breaches. Across the enterprise, there can be hundreds, if not thousands, of cloud accounts, across multiple cloud service providers. The different CSPs have similar, but not identical services, each instance of which must be properly configured to be secure. Moreover, the rise of microservices has increased the number of apps being maintained in the public cloud, and agile development teams are pushing updates faster than ever before. So many accounts, so many apps, such frequent updates, any one of which could make a simple misconfiguration to the wrong cloud resource. In this context, it is not hard to realize that in 2017, there were 2 billion public cloud records compromised 2, up 424% YoY.
Businesses need a programmatic means of finding and fixing misconfigured cloud resources. The scale of enterprise cloud footprint outstrips human capacity to keep pace. Manual intervention is not tenable. You simply cannot solve this problem by throwing bodies at it.
Automate cloud security and compliance
TrueSight Cloud Security is a cloud security and compliance solution which automates security checks and remediation of cloud resource configurations. An intuitive dashboard visualizes your entire multi-cloud security posture at a glance across AWS, Azure, and Google Cloud Platform (GCP). And because it is SaaS, there is nothing to install. You can literally begin securing your cloud in 5 minutes. Try it yourself with our free 14-day trial.
TrueSight Cloud Security could have prevented the Exactis data breach on the Elasticsearch database. Automated security checks, scheduled at the cadence of your choosing, programmatically test the cloud resource configurations against a deep bench of standards-based security and compliance policies which come ready to use right out of the box. The dashboard illustrates noncompliant resources, and the intuitive point-and-click UI allows you to filter violations, by severity, age, resource type, tag, etc. For example, you could filter on AWS Elasticsearch Service violations, examine the details, and click a button to kick-off a remediation. The solution then works via the cloud service provider’s API to reconfigure the resource so that it complies with security policy.
The bad guys are using automation to probe your cloud defenses. Are you using automation to find and fix your security gaps? Register for the free, no-obligation trial.
1 US Census Bureau,https://www.census.gov/quickfacts/fact/table/US/PST045217, July 2017.↩
2 IBM X-Force Threat Intelligence Index 2018↩
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.
See an error or have a suggestion? Please let us know by emailing firstname.lastname@example.org.