11/07/2019
I have a love-hate relationship with "the cloud". I love how easy it is to create services, easily access software and data, and I love the easy sharing of data. But I seriously hate how easy it is to unintentionally expose data that should remain confidential.
In April of this year, the Telegraph reported on another multi-million-user Facebook data breach by a third party. The data were stored on an Amazon S3 (Amazon Simple Storage System) cloud server. According to Gizmodo, the data were unencrypted and not password protected. Among the data leaked were plaintext passwords.
There have been other Amazon breeches, too, but Amazon is by no means alone in this.
There are two important lessons to learn from these breeches: S3 data is private by default, and data on S3 can be easily encrypted.
The AWS (Amazon Web Services) documentation is clear:
"By default, all Amazon S3 resources--buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)--are private: only the resource owner, an AWS account that created it, can access the resource. The resource owner can optionally grant access permissions to others by writing an access policy."
In other words, the data are password protected unless the owner of the data grants access to others. Those "others" can be specific individuals or the whole world!
Encrypting data on the Amazon server is easy, too. And there are multiple encryption applications to encrypt that data before it is uploaded to S3.
Sharing Data The Right Way
S3 is a great way to share data. It is easy to specify who can see the data and who can modify it. They can be different individuals, too. If the data are encrypted, and access is controlled by specifying appropriate permissions, the data can be safe. This would be a good choice for confidential data.
All passwords should be encrypted when stored on a public server, and arguably all personally-identifiable information (PII) should be, too. We discuss this in Learning Tree's Information Security Training. Readers interested in privacy specifically might want to check out Learning Tree's privacy certification courses, too.
There are very legitimate reasons to store unencrypted data on a web service such as Amazon S3. The most common is likely a static web page. In fact, Amazon tells you how to do it. There can be advantages to such an approach, but that is beyond the scope of this post. Learning Tree has multiple AWS courses to help you understand the plusses and minuses, starting with an https://www.learningtree.com/courses/cloud-computing/aws/.
Storing data in the cloud can be a great solution for multiple applications, but it must be done right. Unless the data are designed to be public, appropriate user access is essential and sensitive data of any kind must be encrypted either at the client or server. It is not enough to rely on people not being able to find the data. There are some pretty good sleuths out there.
It is also essential for organizations to audit the security of online data. You can do that via Amazon's tools or the AWS command line directly, or use a third-party tool to check and enforce security rules. It is not as though it is difficult.
Please stop storing PII and other confidential data where everyone can find it. I know mistakes can happen, servers can have bugs, and so on, but basic controls should be deployed.