It is unfortunate to read about another data leakage incident from a DOD agency. The culprit appears to be an Amazon S3 storage bucket left publicly accessible due to an improper configuration setting. AWS offers a rich set of tools and technologies to help protect data and
It is unfortunate to read about another data leakage incident from a DOD agency. The culprit appears to be an Amazon S3 storage bucket left publicly accessible due to an improper configuration setting. AWS offers a rich set of tools and technologies to help protect data and enable flexibility through policy based configurations. It is the users’ responsibility based on the shared security model to ensure that security best practices are followed and continuously monitored.
Sadly, this is not an isolated incident. It is very similar to another incident that occurred earlier this summer, when a security breach at Booz Allen Hamilton exposed sensitive NGA data and was extensively reported in the media.
Clearly, cloud platforms like AWS are heavily incented to protect and safeguard customer data. They provide a rich set of features and functions along with extensive materials to help users configure and deploy these solutions. For example, by default all S3 buckets are configured to be private and so it takes an explicit action to make them publicly accessible.
So, what went wrong? Why do we keep reading these kinds of incidents? Is it just a simple technical problem or is it a larger issue that most organizations are struggling with due to the rapid pace of change and digitalization?
IV&V is a must for ensuring cloud security
In the software development space, especially in public sector organizations, IV&V refers to the independent verification and validation of a newly developed product or service. IV&V is a critical part of a quality management system such as ISO 9000 and is essential to ensure that the product, service, or system meets requirements & specifications.
The key word here is "independent", indicating that the verification and validation is to be performed by a third party. Many public-sector organizations especially in the US Federal and DOD space have well established policies and procedures for conducting security assessment and authorization (SA&A) activities that are based on NIST Special Publications 800-37 and 800-53. These frameworks are fairly mature and have evolved over many years to incorporate the new cloud-specific threat and vulnerability vectors.
However, security assessment and authorization (SA&A) is largely a “one-off” activity. How do you ensure the continued security and integrity of a cloud environment that by definition is constantly changing? Are the security processes, roles & responsibilities and organizational team alignments robust enough to allow truly independent and continuous security monitoring? Operating in the cloud requires an independent security organization with the right levels of funding, resourcing and empowerment to ensure the security of digital assets.
Continuous and independent: two essential pillars for robust security
Organizations looking to stay ahead of the digital modernization curve must rapidly implement a holistic organizational architecture that creates an independent security function. The security team must be empowered through well-defined roles & responsibilities, and funding to continuously protect the organizations’ digital assets. The security team cannot function in a vacuum and must be on the frontlines of systems operations. Too many times security is reactive and just focused on compliance reporting. Implementing a real-time continuous monitoring program requires investing in a dedicated SIEM (Security Information and Event Management) solution. The SIEM solution must be operated by a team of qualified analysts with adequate coverage and funding to detect and respond to incidents quickly.
However, the security team in most organizations is subservient and dependent on development and operations teams for access to critical operational data or tools. Most organizations tend to prioritize and focus on backlogged functional and operations features and often deprioritize security related backlog items. This happens for many reasons – 1) inadequate understanding of the impact of the security findings, 2) lack of resources or ownership on resolving security issues or 3) inability of the security team to enforce the implementation of critical security bugs due to a lack of a “veto” power.
As organizations continue to reap the business benefits of lower costs and greater agility provided by cloud platforms, it is essential to adopt and architect a robust security solution that is independent and equipped to detect and respond to risks continuously.