The Capital One incident is one of the largest data breaches of all time, involving 100 million credit card applications and 140,000 Social Security numbers; the bank’s stock price took an immediate hit as company executives and IT personnel began scrambling to implement the firm’s incident response plan. Capital One customers are undoubtedly worried about their personal information and the media will scrutinize who is responsible over the coming weeks. Because the compromised data was exfiltrated from AWS servers, a debate concerning the security of the cloud will certainly be bantered back and forth as well. Other companies, such as Equifax, will be reluctantly garnering negative press once again as the scope, size and similarities of their own breaches are compared to that of Capital One. Its not going to be fun for a lot of people.
What We Technically Know About the Breach
The basic story line is that Capital One utilized Amazon Web Services (AWS) for some of its digital operations and an attacker, who was a former AWS employee, discovered a server with a misconfigured firewall. Most likely it had some other software vulnerability or credential exposure as well. The attacker was then able to exfiltrate the data. Capital One described the alleged hacker as a “highly sophisticated individual who was able to exploit a specific configuration vulnerability in our infrastructure.” Despite being smart enough to implement the attack in an anonymous fashion, the attacker posted her exploits on Slack and social media. Someone saw the attacker’s detailed notes and reported the discovery to Capital One through their reporting program. The FBI immediately became involved and made the arrest. Thanks to a little bit of luck, the breach was discovered quickly, which lessened the damage. It normally takes months to discover a breach and years for these types of perpetrators to be arrested for their accountability. It should also be mentioned that the misconfigurations that were exploited have been eradicated.
The AWS Shared Responsibility Model
AWS has clearly stated that, “AWS was not compromised in any way and functioned as designed.” As one AWS representatives point out, the attack took place because of a misconfiguration of an application firewall, not the underlying infrastructure. In its disclosure statement, Capital One explained that the exploited vulnerability is not specific to the cloud.
Cloud vendors, such as AWS and Microsoft’s Azure, provide infrastructure to their customers. This includes servers, storage and network appliances such as routers, switches, and firewalls. These vendors provide an ecosphere for enterprise organizations to host their applications. It is a shared environment, and so AWS refers to a “shared responsibility model” when it comes to security of that environment. AWS guarantees the global security of the underlying network and hardware that make the cloud possible, but the customer holds accountability beyond that. While AWS and other cloud vendors can supply their customers with application firewalls and other types of security solutions, they do not configure them for their customers. It is the customer that must decide the configuration and permissions of their cloud hosted resources.
Customers Must Realize their Security Responsibility
In a recent article, Gartner estimates that 95 percent of cloud security failures through 2022 will be the customer’s fault. Says Jay Heiser, research vice president at Garner, the question for CIOs shouldn’t be whether the cloud is secure. It should be, “are their organizations using the cloud securely?” Cloud customers must ensure that they are prepared and educated concerning their shared responsibility when it comes to access control, monitoring, and audit logging. There isn’t just one way of providing cloud infrastructure, which means there isn’t just one way to secure it. Visibility of resource access doesn’t stop at the network perimeter. It extends into the remote confines of the cloud as well. Just because your resources are in the cloud doesn’t mean you can “set it and forget it.”
The Cloud is Not without Risk
In the same way that companies have varying strategies when it comes to on premise data centers, the same is true for cloud computing. Public clouds are multi-tenant environments which naturally leads to increased risk exposure. Office 365 attracts a lion’s share of phishing attacks due to the large concentration of email accounts, thus cloud computing and infrastructure providers become popular targets for hackers due to their immense size. For these reasons, it is imperative that cloud-only organizations, as well as those that utilize hybrid architectures, must ensure that their security strategy accommodates their environment.
The Need for a Cloud Security Partner
Many companies have partnered with cloud service providers to help complete their digital transformations; they also need to partner with information security companies that the cloud, its inherent risks, and proper configuration. Whether your resources are located on premise or in the cloud, the essential need to create and implement a security strategy to protect it is imperative.
Ensure that your share of the cloud is fully protected from all types of threats. Contact us to scope your project.