Best Practices For Cloud Storage Security

7 Min Read

While many businesses make excellent efforts to protect data from hackers, it’s often a lack of user awareness that results in lapses of cloud storage security. We suggest best practices businesses should implement in order to protect data from user-initiated data breaches.

In March 2018, Gartner predicted “through 2022, at least 95 percent of cloud security failures will be the customer’s fault”. Although not specifically focusing on cloud storage security, there is little doubt Gartner had this in mind when suggesting businesses should develop a strategy that “includes guidance on what data can be placed into which clouds under what circumstances”.

Though Gartner’s intentions are good, they’re speaking to enterprise-scale businesses with a choice of public clouds, private clouds, and on-premises storage at their disposal. Not every business has this range of options. Furthermore, cloud storage security is mostly not dependent on the what, where, and when data is stored, but how.

Most cloud service providers offer airtight cloud storage security. It’s how cloud storage services are used that presents a risk to many organizations. Recent research has revealed huge volumes of publicly-accessible storage, huge volumes of unencrypted data, and an increasing number of data breaches attributable to compromised credentials. 

 

Misconfigurations and misconceptions expose millions of records

Where should we start? The publicly-accessible S3 storage bucket that contained profiling data of 198 American voters? The sloppy S3 configuration at Dow Jones & Co that exposed the personal information of millions of customers? Or the terabytes of information from the Pentagon’s spying archives that were found in a misconfigured cloud storage service along with private encryption keys used to hash passwords for an intelligence sharing platform?

Sometimes it’s necessary for businesses to make cloud storage volumes publicly-accessible. For example, a business may need to share data with another business or a contractor. Or, it may be the case data has to be publicly-accessible when it forms the content of a website. But the number of cloud storage volumes unintentionally accessible to the public is staggering. In just one exercise, AWS Security Consultant Scott Piper found 116,386 publicly-accessible EBS snapshots from 3,213 different accounts.

Data extracted from the EBS snapshots was found to include TLS/SSL Certificates, web server configurations, and AWS security credentials that could’ve been stolen, deleted, or compromised. Piper acknowledged some businesses make their EBS snapshots publicly-accessible for ease of access after a disaster, but this still poses some risks.

Thousands of RDS snapshots are also publicly available to anybody that has an Amazon account. In the past, these have been found to contain sensitive healthcare data and personally identifiable information, which Piper attributes to a lack of awareness rather than misconfigurations. He explained a misconception exists that only internal users have access to unencrypted RDS snapshots; when, in fact, the permission allows anyone with AWS credentials to access the RDS snapshot.

Why doesn’t every business encrypt all its data?

Would cloud storage security be improved if every business was to encrypt all its data? Absolutely. So, why doesn’t every business do it? There are dozens of answers to this question—from an alleged reluctance by the C-Suite to spend the money to the supposed detrimental effect encryption can have on data processing speeds—one of the most common reasons businesses fail to encrypt all their data is a lack of awareness.

In one recent survey, just 36% of businesses were found to use both full-disk and file-level encryption (mostly in the finance and telecoms sectors), with the majority failing to recognize that full-disk and file-level encryption should be used together to minimize the effect of a data breach. 

Even in regulated industries, where businesses have a legal requirement to encrypt data, a lack of awareness places personally identifiable information at risk. For example, the complexities of the Health Insurance Portability and Accountability Act (HIPAA) have led many healthcare organizations to believe that, because the regulation relating to encryption is “addressable” rather than “required”, it isn’t a necessary cloud storage security measure when in fact it is. 

Similarly in the public sector, the Sarbanes-Oxley Act (SOX) doesn’t specifically require the use of encryption to protect financial data. Although many businesses have applied end-to-end encryption as part of their data protection practices, multiple data breaches are reported each year in which unencrypted data has been extracted from cloud storage volumes. The businesses responsible have been heavily fined for their lack of cloud storage security.

How big is the threat of compromised cloud accounts?

Some security experts claim one-in-six businesses have cloud accounts that have already been compromised, while the Cloud Security Alliance identified “Insufficient Identity, Credential, and Access Management” as the top-listed threat in its “Treacherous Twelve Threats to Cloud Computing”. Unfortunately the scale of the threat is impossible to quantify as it may take years for a compromised cloud account to be discovered. 

Many business don’t enforce cloud storage security best practices to mitigate the threat of credential phishing. Incidentally, there was a 125% increase in credential phishing between 2013 and 2016, and it’s only likely to increase.

Though phishing awareness training and simulation exercises can reduce user susceptibility to phishing emails, there’s still the likelihood a phishing email will avoid detection and a user will interact with it—potentially revealing login credentials or downloading keylogging malware that records keyboard actions. Consequently, businesses should address weaknesses in their identity, credential, and access management in order to mitigate the threat of compromised cloud accounts.

A policy of password rotation isn’t enough to address this particular threat to cloud storage security. Businesses also need to rotate cloud access keys and use multi-factor authentication to protect data accessible from user accounts. It’s also recommended access is controlled by both identity-based policies and IP-based policies to prevent hackers logging in remotely with a user’s compromised cloud account credentials.

Best practices for cloud storage security

In one way or another, all the scenarios mentioned above represent user-initiated threats to cloud storage security. The first best practice is to eliminate misconceptions about cloud storage security. Many users don’t understand cloud service providers’ “shared responsibility models” for cloud storage security or how it’s defined by the level of abstraction. This can be addressed with comprehensive awareness training.

With regard to the volume of misconfigurations currently exposing millions of data records, the default setting on all assets in the cloud should be to make them inaccessible so that users have to define what level of access each asset has. As a best practice for cloud storage security, the default option should be extended beyond storage volumes and snapshots to include ElasticSearch clusters and any other service that contains sensitive data or personally identifiable information.

It’s understandable that an end-to-end encryption policy may be impractical in every circumstance. A best practice for cloud storage security is for businesses to implement a universal tagging policy that identifies sensitive data and personally identifiable information. The locations in which data is stored and through which it travels should also be secured by encrypted so that any data accessed without authorization is indecipherable and unusable.

Although implementing best practices such as multi-factor authentication may meet some resistance due to the additional process involved, they can enhance cloud storage security significantly. However, policing compliance with the best practices for cloud storage security can be difficult in an environment where users have a considerable amount of control over activities in the cloud.

Enforcing cloud storage security best practices

It isn’t humanly possible to police and monitor cloud storage security best practices when you may have millions of assets deployed in the cloud. So, an ideal solution is to implement a cloud management platform with automation capabilities that can monitor compliance with governance policies and alert system administrators to policies violations, or take an administrator-defined action to prevent a breach of cloud storage security.

To govern your cloud with automation, all you need to do is define the policies users must comply with and the actions you require the cloud management platform to take if a policy violation occurs. The solution then monitors cloud activity around the clock, alerting you to activities that may compromise your business’s cloud storage security. Example policies could include:

  • If any CloudTrail S3 bucket is publicly accessible, restrict access and send email notification.
  • If any S3 bucket with tag “PII” is unencrypted, execute function to encrypt bucket.
  • If an IAM User's Cloud Access Key has not been rotated in 90 days, send an email notification.
  • If any privileged IAM user has MFA disabled, execute function to revoke access.

A cloud management platform with automation capabilities has many practical uses beyond cloud storage security. It can also help businesses control cloud costs and enhance performance, making sure your cloud environment is properly optimized.  

 

Image
headshot
CloudHealth Tech Staff, Cloud Tech Journalist

The CloudHealth Tech Staff team is made up of industry experts who report on trending cloud news, offer cloud management best practices, and compare products and services across the major cloud providers. As a part of CloudHealth, the CloudHealth Tech Staff come from all different backgrounds making them unique leaders in this industry.

We Think You Might Like These: