By this morning, just about every Capital One user knows the credit card giant was hit with a massive data breach that exposed the personal information of more than 106 million customers.
What they may not know is how the hacker, a former Amazon Web Services engineer, stole their IDs, bank account information and Social Security numbers.
She was able to pull the data from Capital One’s AWS cloud server — and the fault isn’t in Amazon’s cloud infrastructure, but with the way Capital One used it.
According to court documents, “a firewall reconfiguration permitted commands to reach and be executed by that server, which enabled access to folders or buckets of data in Capital One’s storage space at the Cloud Computing Company.”
The hacker, who has been charged by the Department of Justice, stole 700 folders of data stored on that server sometime in March.
The Business Journal highlighted the skyrocketing risks surrounding public cloud security in the July 26 edition, stressing that the problem doesn’t discriminate by industry or business size.
Companies are moving more and more of their data and workloads to the cloud — then playing catch-up when it comes to protecting them. All too often, cloud customers don’t grasp that they themselves are responsible for securing their corporate data in the cloud.
As Peak InfoSec CEO Matthew Titcombe told the Business Journal last week, too many businesses give little thought to protecting their data in the cloud, incorrectly assuming that their cloud service provider does the heavy lifting when it comes to security.
“I’ve done cloud security assessments for clients and when I’ve gone to talk to them about these cloud service providers, I’ve literally been told: ‘We’re secure because we’re on Google,’” he said.
That’s wrong.
“You can’t say Google does all of your security,” Titcombe said. “You can inherit controls for security from them only to a point.”
SHARED RESPONSIBILITY
Public cloud security operates on a ‘shared responsibility model,’ and too many businesses don’t understand how that works.
Cloud management platform vendor CloudCheckr explains: “The cloud provider is responsible for Security Of The Cloud and the customer is responsible for Security In The Cloud.”
“Really the most critical thing, for anybody going to the cloud, is to truly understand that cloud service providers’ expectations for the consumer in their shared security responsibility model,” Titcombe said. “You have to understand what their expectations are of you. The best way to do that is to do a search: ‘Microsoft Azure shared service responsibility,’ for example. That’s going to give you their expectations. A lot of them also have tools that will help you to make sure you’re going through the controls to make sure you’re doing [your part].”
Even companies that do understand their responsibility (as Capital One no doubt did) can discover a crucial misconfiguration too late. Accenture, Time Warner Cable, Dow Jones & Co., Verizon Wireless and the Department of Defense have all suffered massive breaches due to misconfigured Amazon S3 buckets.
Cybersecurity Insiders’ new 2019 Cloud Security Report reveals almost all cybersecurity professionals (93 percent) are moderately to extremely concerned about public cloud security — up from last year. The parade of high-profile breaches, with Capital One now bringing up the rear, shows their worry is justified.
Learn more about public cloud security in the July 26 edition of the Business Journal, including the Cloud Security Alliance’s “Treacherous 12 Top Threats to Cloud Computing Plus” — and how your staff could be unwittingly leaving data doors open to hackers.
Brought to you by HunterTech , A Cloud Security and DevSecOps Company Based in Bangalore,India and California,USA.
Author: Helen Robinson
Source:
Leave a Reply