Cloud service providers (CSPs) try to make it simple and easy for their users to comply with data privacy regulations and mandates. Still, as all of us who work in technology know, you reduce access to granular controls when you simplify a process. On the flip side, if you allow access to granular controls, the person setting the controls needs to be an expert to set them correctly. And, even experts make mistakes. So, whichever way you go, there is, across time, a very high likelihood that a CSP's encryption, tokenization, or key management scheme will be misconfigured either by the CSP itself or by the CSP user.
On August 26, 2021, Wiz announced it had gained "complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies" via a loophole created by "a series of flaws in a Cosmos DB feature." They named this vulnerability #Chaos DB.
The gateway into the database was Microsoft's Jupyter Notebook, which enabled data visualizations and customized views. The feature was automatically turned on for all Cosmos DBs in February 2021.
Ars Technica reports:
Misconfiguration in the Jupyter feature opens up a privilege escalation exploit. That exploit could be abused to gain access to other Cosmos DB customers' primary keys—according to Wiz, any other Cosmos DB customer's primary key, along with other secrets.
Access to a Cosmos DB instance's primary key is "game over." It allows full read, write, and delete permissions to the entire database belonging to that key. Wiz's Chief Technology Officer Ami Luttwak describes this as "the worst cloud vulnerability you can imagine," adding, "This is the central database of Azure, and we were able to get access to any customer database that we wanted."
The shared responsibility model
The shared responsibility model that every cloud provider refers to requires both the cloud service provider and the customer to take ownership of specific aspects of cloud security. Whether your organization uses cloud services or stores data across multiple clouds, each provider may protect their cloud. Still, you are responsible for the security of your data in these environments. To operate a trusted and compliant cloud environment, your organization must bring your security to address data governance, control, and ownership challenges.
My colleague Paul Hampton wrote in his recent blog: "To minimize the impact of potential security incidents and to optimize sensitive data protection, security and privacy regulations like GDPR, PCI-DSS, HIPAA, or CCPA mandate the adoption of encryption." But encryption and tokenization rely on cryptographic keys, and unless those keys are controlled and protected by the organization responsible for the sensitive data, that organization is at risk. Indeed, Paul writes, "NIST SP 800-144 adds that organizations should be 'in control of the central keying material and configure the key management components for cloud-based applications.'"
Bring your own encryption (BYOE)
The only way you can protect your data in the cloud and fully control its access is to bring your own encryption (BYOE) to the cloud. This means doing your own encryption before sending data to the cloud and controlling the keys outside of the cloud or in a cloud that your organization controls.
Back to CosmosDB. Our internal testing uncovered that Thales's BYOE would have thwarted the CosmosDB/Chaos DB vulnerability. That vulnerability worked because it gave access to Cosmos DB primary keys that inherently allow usage of encryption keys that were created as a part of the CSP's encryption process. Thales BYOE would have protected the data because the data would have been encrypted before being sent to the cloud, and the keys would have remained in the CSP customer's hands, separate from the CSP encryption. So, hackers would never have had access to the key necessary to decrypt the data. It must be noted that Microsoft has addressed this specific Cosmos DB vulnerability.
Thales offers advanced multi-cloud Bring Your Own Encryption (BYOE) tools to secure your data and reach compliance rapidly and effectively. If you have any questions, our data security solution experts will happy to answer them for you.