On June 8, 2017, security researchers discovered a data repository on the Amazon Simple Storage Service (S3) that could be accessed by anyone on the Internet. The repository contained the names, addresses, account details and personal identification numbers (PINs) of up to 14 million Verizon customers. The Amazon account was owned by Nice Systems, an Israeli company that provides voice recording, data analytics and other services for Verizon. A Nice Systems engineer misconfigured the data repository to allow public access.
A few days later, the same team of researchers discovered a similar issue with data compiled on behalf of the Republican National Committee (RNC). In that data leak, a firm called Deep Root Analytics misconfigured a data repository on Amazon S3, exposing the personal information of nearly 200 million American voters. More than 1.1 terabytes of sensitive data, including names, addresses, phone numbers, birthdates, party affiliation and other details, could be downloaded by anyone on the Internet.
It has often been said that public cloud services are more secure than the typical corporate data center. Cloud service providers such as Amazon have world-class data center facilities and teams of experts who are steeped in the latest security techniques. However, the cloud is only as secure as you make it, as these two data leaks show. Cloud service providers may be responsible for the security of their data center infrastructure, but customers are responsible for the data that’s stored there.
This shared responsibility model extends across all types of cloud services, albeit with variations. With Software-as-a-Service (SaaS), the cloud provider maintains the most control, with the customer only sharing responsibility for endpoint security and identity and access management (IAM). With Platform-as-a-Service (PaaS), the customer is solely responsible for endpoint security, while sharing responsibility for application security and IAM. With Infrastructure-as-a-Service (IaaS), the customer’s responsibilities also extend to operating system, network and firewall configurations and development platforms.
However, a recent survey conducted by Vanson Bourne suggests that few organizations understand this shared responsibility model. In fact, 71 percent of respondents said it’s the service provider’s responsibility to protect the data that’s stored in the cloud. Another 66 percent believe that cloud service providers are responsible for the security of applications, and 63 percent said service providers are responsible for the security of operating systems. This is alarming given that more than half of all organizations store some type of personal data in the public cloud, and 55 percent store customer order history.
Organizations that store sensitive data in the cloud need to recognize their security responsibilities, and take steps to prevent a data breach. This starts with understanding the security controls available within the cloud service, and putting processes in place to ensure that IT personnel are properly configuring those controls. Organizations should also confirm that the cloud service meets regulatory requirements for data security and privacy.
Amazon is not responsible for the Verizon and RNC data leaks. Amazon’s services are built on highly secure platforms with robust controls that can be configured in the customer portal. Responsibility falls squarely on the shoulders of the Amazon customers who failed to take advantage of those controls to protect their sensitive information.
The public cloud can be secure if you remember the shared responsibility model. Cloud service providers are responsible for the security of the cloud, but customers are responsible for the security of what’s in the cloud.
By John Flores, Vice President of Marketing, Pivot Technology Solutions