In late May, U.S. government contractor Booz Allen Hamilton was found to have left more than 60,000 sensitive files on a publicly accessible Amazon Web Services (AWS) S3 server. The cache was discovered by UpGuard security analyst Chris Vickery, who revealed that the data contained files connected to the National Geospatial-Intelligence Agency, the U.S. military’s provider of battlefield satellite and drone surveillance imagery.
While an unfortunate incident in its own right, the Booz Allen Hamilton leak is not a solitary incident. In fact, just a few weeks ago, it was reported that a misconfigured AWS S3 bucket repository containing sensitive information of 198 million American voters was left exposed to the internet for 12 days. Chris Vickery also discovered this specific incident, which is considered to be the largest U.S. voter data leak of all time.
Amazon S3 buckets are vulnerable to data leaks. This is not because AWS isn’t a secure environment, but rather because even very well trained professionals – myself included – can find it challenging to manage access controls in AWS.
This past Christmas, I decided to spend some of my time off setting up an S3 bucket (thrilling stuff, right?). I set up an account with storage and used a software called Cloud Berry to back up my computer. From my personal experience, I can tell you that you have to really know what you’re doing. I consider myself to be an intelligent guy, but even I found it challenging to set up all of the controls. And here’s the kicker: Even smart people can mess up. It’s quite easy to make a mistake and leave your data exposed. I was putting my kids’ baby pictures at risk – imagine now you have to do this for a company, and the stakes suddenly increase exponentially.
Thales Helps Organizations Shore Up AWS Defenses
So what can be done to bolster an organization’s defenses and prevent future AWS data leaks, even from the most common problem of human misconfiguration? The Thales solution for this environment is the Vormetric Cloud Encryption Gateway, a virtual gateway that can run on-premises or in-cloud to assure clear-text data is never stored in S3. The Gateway uses the Vormetric Data Security Manager to securely store your encryption keys in a FIPS 140-2-certified key manager. This is the same Vormetric Data Security Manager that manages your keys for the entire Vormetric Data Security Platform.
The Gateway has another pretty nifty capability – it can (and will) detect if a user places clear-text data directly into a protected S3 bucket. This could be an attempt to circumvent the Gateway, or perhaps be an accidental occurrence. The Gateway continuously monitors all the protected S3 buckets; if it detects unencrypted data, it will encrypt it! This means the user must pass through the Gateway and be authenticated and logged if they want to access that data again.
AWS always reminds their customers that “security is a shared responsibility,” and there’s no better way to take responsibility for your data’s security than by leveraging encryption and strong key management that you own and manage. If Booz Allen had implemented this solution, they would have only leaked worthless encrypted data and had no bad press – and the National Geospatial-Intelligence Agency would have no worries about their data leaking from the cloud.
To learn more about how Thales can help you secure your AWS S3 buckets and keep your cloud data from leaking, check out our demo of the Vormetric Cloud Encryption Gateway here, or find me on Twitter at @chvrles.
This Just In!
After submitting my blog to be posted, another Amazon S3 leak was in the news. The World Wrestling Entertainment (WWE) left a database on S3 with inadequate access controls or third-party encryption. Now you can read about the three million wresting fans’ personal data that could have been compromised. Read more in Forbes.