Comment: Paolo Passeri, Netskope – “AWS buckets need to be locked down”

Folders are a thing of the past, because storage is all done in buckets these days.  No, this isn’t the latest trends advice from IKEA, it’s a new nomenclature that was perhaps inevitable as IT storage moved into the cloud. A bucket is a storage resource in AWS’s S3 storage service, storing both data files and their respective descriptive metadata. Giving these buckets their own name should help us all realise that they need slightly different treatment to the traditional local folders we were used to dealing with… but doesn’t appear to be working, because on a daily basis we are tracking new reports of data leakage from cloud storage buckets.

The problem is that too often buckets are left with misconfigured access permissions, exposing the data to public access. We are used to folders that are private by default, but AWS buckets are open by default, and need proactively locking down.

This sounds like a really simple issue, and to be fair, it kind of is – it’s certainly one we solve pretty easily. But it throws light on a broader issue with cloud security – lack of visibility. Infosecurity teams don’t have visibility of the security of the data stored in the cloud as standard. Even without considering the issue of unsanctioned or “shadow” use of cloud services, the native controls in some of the biggest cloud infrastructures do not allow IT security professionals to effectively monitor and enforce policies across their organisations cloud use.

The Cloud Security Alliance’s Top Threats report for 2019 saw cybersecurity professionals place data breaches, misconfiguration of cloud infrastructure and a lack of cloud security architecture and strategy as the top three risks in cloud usage. However, too many organisations still do not fully understand the “shared responsibility” model and its implications. Shared responsibility establishes where the responsibility of the cloud service provider ends (security “of” the cloud), and where the responsibility of the customer begins (security “in” the cloud). A tiny preposition makes a huge difference and research from the Ponemon Institute has found that only 32 per cent of organisations believe that protecting data “in” the cloud is their own responsibility.

Despite the speed at which organisations are now moving to the cloud, the conceptual security perimeter is still on-premise. Organisations need to stop relying on big tech brand names for assurances of security, and get better informed about their own responsibilities.