Remembering Your Basic Training — Access Control Permission

Whether you’ve done it yourself or you’ve seen it in the movies, military training is often synonymous with precision and repetition. Whether it be in the use of a weapon or how to secure a load in a moving vehicle, there are protocols, standard operating procedures, and double checks that are followed because these things matter when the situation calls for it.

With that backdrop in mind, there’s some unfortunate irony in the latest data breach disclosed by Upguard yesterday. As revealed, 9,400 files containing private information on US military and intelligence personnel were exposed through an Amazon Web Services (AWS) server. The irony, of course, is that the breach occurred because someone forgot their basic AWS security training and simply left the data exposed on a public S3 bucket.

Before we rake the perpetrators over the coals for this, it’s important to recognize that this is yet another breach involving IaaS services in a very short period of time. And while we’re chastising people for overlooking the basics, the reality is that these breaches are actually a symptom of a broader challenge — the sprawling heterogeneity of security controls that exist in the enterprise today. As IT and security practitioners, the diversity of SaaS, IaaS, and PaaS services that have permeated the enterprise is alarming. Striving to differentiate and make their product “sticky,” cloud service providers aren’t driven by standardization from an administrative point of view, and so security professionals have largely been left to “figure it out” on their own. This often involves reading the fine print and understanding what comes “built in” or “checked by default” with the “bronze,” “super enterprise,” or “double-5S” licensing agreement from various providers. This would make even the most seasoned and regimented security professional’s head spin.

Fortunately, there are steps security professionals can take to safeguard their data and a lot of that begins with centralizing control and making policy controls reusable from service to service with technology like a CASB. We’ve documented the recommendations from our customers in this white paper. Download it here to share with folks responsible for AWS security in your organization.