Amazon S3: Don’t Kick the Bucket, Do Something About It
Over the past several weeks we’ve seen three newsworthy stories where sensitive information finds its way onto Amazon’s S3 cloud storage service: NGA, WWE, and Verizon.
Folks effectively ended up storing data like sensitive imagery products or personally identifiable information (PII) associated with customers. In all three cases, no one was reported hurt besides those responsible for the S3 leaks. When looking at cloud solutions, we need to consider that cloud storage does not create a data breach, it’s how people use cloud storage that creates a data breach. Yes, I am reminded about those political bumper stickers about guns and the impact of how they are used.
When reviewing Amazon’s S3 and following the documentation explicitly to set up an S3 bucket with defaults, it is properly locked down to allow only the creator of the bucket to both read and write content. Go ahead and try to access my example S3 bucket “kickthebucket42” and you will find that your permission is denied. So, as a starting point, the folks at Amazon are not putting out insecure cloud storage. I disagree with those who think that Amazon is to blame for people not using S3 correctly or securely. Amazon S3 does not create data leaks, people using Amazon S3 incorrectly create data leaks.
While setting up S3, the first potential explanation for S3 breaches is the lack of alignment of authorization controls from a user’s on-premise environment to the cloud S3 environment. From my exercise in creating an Amazon Bucket, I can see how someone could throw up their hands in frustration and open up the bucket for everyone. Amazon hasn’t created a service yet that reads the mind of the S3 user, figures out who provides IT support for that user, and then contacts said IT administrator and asks them to provide S3 user with appropriate sources of identity and authorization. Given what Amazon is capable of doing from a technology perspective, this set of features is probably on someone’s product roadmap. Until that day, our frustrated S3 user is depending on “security by obscurity,” which unfortunately is effectively dead nowadays. In other words, you need to protect your bucket as if you just provided its name to the entire world (Like I just did with “kickthebucket42”).
One of the reasons Fornetix is building a platform that pushes beyond traditional key management and provides a Key Orchestration ecosystem is to help the plight of our S3 user. Having an ecosystem of clients and agents that extend our core Key Orchestration appliances allows us to help customers with decision enforcement (load/upload/encrypt/decrypt/etc) all anchored by our central policy engine as a decision point which provides fine-grained attribute based authorization controls for encryption key lifecycle operations among other command and control operations. Our belief in interoperable, standards-based systems provides flexibility in supporting heterogeneous environments (like S3) coupled with solutions like the Racktop Secure Data Protection Platform (SDP2), while maintaining separate policy constructs for virtualization, cloud services, and network communications. In other words, Orchestration.
The real value is alignment of this capability to what drives the business. In other words, people don’t go to work to use encryption, they use encryption to go to work. If encryption is going to be more than just another security stovepipe, it needs to align and demonstrate influence with the business operations of a given organization. In regards to disjointed authorization between AWS and on-premise, aligning key lifecycle management with storage and security services allows for cryptography to be applied as an active form of authorization with access to content and key material required before information is made useable.
In the case of S3, NGA, WWE, and Verizon, an integration of Key Orchestration with systems from companies like Dataguise, Zettaset, and Cyphre can provide encryption solutions using Key Orchestration policy tied to KMIP standards-based key management. Taking this matter of influence and governance further, Fornetix’s collaboration with Racktop Systems to develop SDP2 applies policy for encryption, decryption, and destination storage based on who the user is and what information is available about the file.
S3 is a powerful tool that has changed the way we look at storing information and working with content. The headaches experienced by NGA, WWE, and Verizon demonstrate that the human component of a system can inadvertently lead to breaches of information. Aligning applied encryption and storage services towards protecting what is valuable to an organization helps mitigate the risks of individual mistakes and also explicit attacks. In our brave new world where we need to depend on active and passive methods to protect what we hold dear, don’t kick the bucket — defend the bucket.