A slew of household names has recently been accused of misconfigured cloud storage buckets overflowing with unencrypted data, shedding light on a cybersecurity problem that appears to have no solution.
Anurag Sen, a security researcher, revealed just last week that an Amazon server had exposed data on Amazon Prime members' viewing habits.
During the same time period, Thomson Reuters admitted that three misconfigured servers had exposed 3TB of data via public-facing ElasticSearch databases, according to Cybernews, which first reported the issues.
And Microsoft admitted in mid-October that it had left an open misconfigured cloud endpoint that could have exposed customer data such as names, email addresses, email content, and phone numbers.
"The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability," Microsoft said in its statement on the misconfigured server. "We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints."
Indeed, rather than bugs, the leaks are driven by a range of misconfigurations, ranging from insecure read-and-write permissions to improper access lists and misconfigured policies, all of which could enable threat actors to access, copy, and potentially alter sensitive data from accessible data stores.
"The main concern with this kind of leak is the high impact, and that is why the threat actors go after misconfigured storage [servers] and buckets," says Ensar Şeker, CISO at SOCRadar, the cybersecurity firm that discovered the Microsoft issue. "Once they discover [the accessible data], the bucket might ... contain huge amounts of sensitive data for one tenant [or] numerous tenants."
According to Venafi, 81% of organizations have experienced a security incident related to their cloud services in the last 12 months, with nearly half (45%) experiencing at least four incidents. According to Sitaram Iyer, senior director of cloud-native solutions at Venafi, the increase in incidents is due to the increasing complexity of cloud-based and hybrid infrastructure, as well as a lack of visibility into that infrastructure.
"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend," he says. "The increase in this trend is most often due to misconfiguration related to access controls: While only authorized users need to be allowed access to cloud storage, a simple mistake in configuration often enables [any] authenticated users to gain access."
Companies should monitor their cloud assets on a regular basis to detect when a datastore or storage bucket has been exposed to the public internet. Furthermore, using infrastructure-as-code (IaC) configuration files when deploying cloud storage not only automates deployments but also helps eliminate errors, according to data from Snyk, a maker of security services for the software supply chain.
According to the company, implementing IaC reduces cloud misconfigurations by 70%. The division of responsibilities between cloud providers and business customers remains an issue. While the customer is responsible for configuring cloud assets, Venafi's Iyer believes that the cloud service should make configuring cloud assets as simple as possible.
"Principle of least privilege must be adopted for every aspect of the data," he says. "Access to data must be provided as needed, with proper controls and authorization policies that tie it to a specific user or service account, and proper logging of access and notifications must be implemented."
An Amazon spokesperson told Dark Reading in a statement about the Prime Video case: "A Prime Video analytics server experienced a deployment error. This issue has been resolved, and no account information (including login or payment information) was compromised."
However, misconfiguration is not always the original sin; instead, a worker or developer will deploy a "shadow" server, a container or a storage bucket unknown to the IT department and thus unmanaged by the company.
Misconfigured storage has a long history of compromising security. The issue is frequently ranked among the top ten security issues in the popular Open Web Applications Security Project (OWASP) Top 10 security list. Security Misconfiguration rose to fifth place in 2021, from sixth place in 2017. Verizon Business' annual "Data Breach Investigations Report" also highlights the outsized impact of misconfigured cloud storage: In 2021, human errors accounted for 13% of all breaches.
