Law Firms Increasingly Vulnerable To IaaS Cloud Service Breaches
Only a quarter (26%) of people using Infrastructure as a Service (IaaS) are confident in accurately audit configuring settings to prevent cloud storage data from becoming public and fewer than 36% of users are able to enforce data loss prevention (DLP) in the cloud.
According to a new report by McAfee, only a third of IaaS users understand how to set their collaboration settings to secure data and manage how it is shared.
Infrastructure as a Service (IaaS) cloud services have been heralded as the future in enabling businesses and law firms to grow whilst also securely storing sensitive data on a large scale. In fact, 87% of IaaS users have found they have experienced ‘business acceleration’ since moving to cloud services and over half (52%) have benefited from increased security when compared with physical infrastructure on the business premises.
However, hundreds of large-scale breaches later, IaaS providers are still struggling to ensure the safety of private information.
Having dominated the sector since their induction over a decade ago, Microsoft’s ‘Azure’ cloud services has competed with Amazon’s Web Services (AMS).
Despite its sustained popularity, AWS’s simple storage service (S3) has created persistent problems to users trying to secure their data.
Whilst your law firm may have embraced an AWS service thinking it is providing your firm with increased storage, updated and modern infrastructure/hardware and enabling the firm to manage their costs easily, it may be at risk of unwittingly releasing sensitive data to the wider AWS community and even openly sharing it publicly on the internet.
It is thought that as many as 7% of all S3 servers are publicly accessible to anybody without the need for authentication. Some have also claimed that up to 35% of S3 buckets remain unencrypted.
Over the past five years there has been a worrying number of significant data breaches taking place on AWS’ S3 servers. In 2017, a major defence contractor for the US military insecurely configured An S3 account containing sensitive files concerning national security.
Similarly, the personal data of over 198 million American voters was lost by a big data firm who stored the information on a wide-open S3 bucket. Even a huge company like Dow Jones & Co exposed the personal data of over 2 million customers as users failed to adequately configure their S3 account’s security settings.
How can such a successful business maintain consistently high levels of popularity and trust when millions of sensitive information pieces have been publicly exposed?
To a certain extent, the problem rests with the users and the way they configure the S3 settings. The breaches highlight the widespread misunderstanding of IaaS and how to use it effectively and securely.
AWS have made it far too easy to misconfigure buckets that would make them completely accessible to the public. For many, the problem involves confusing use of language by AWS. One of S3’s configured features involves the ‘any authenticated AWS users’ setting. Here, the S3 bucket creator should not feel foolish in assuming that this setting would enable anyone associated with the organisation to use and add to this bucket using this configuration.
Unfortunately, this is not the case. This configuration and level of security actually enables anyone with an AWS account to view the bucket a business has just set up, meaning that millions of AWS users can openly view an organisation’s sensitive and private files. Something as innocuous as a semantic misunderstanding has the potential of opening the door to unscrupulous cyber criminals.
Many users have also been scuppered by confusions regarding the access control lists (ACL) used within AWS services and the configurations within access buckets. Whilst it is possible to link an ACL to an S3 bucket, if the S3 bucket is not configured appropriately, the data is vulnerable to public view.
Whilst it could be argued that human error is configuring these settings and exposing the data, AWS have a responsibility to create clear and understandable explanations of configuration settings.
Law firms are increasingly migrating to cloud-based services and so they should; the benefits are long reaching. However, it is crucial to note that users must become adept at understanding configuration policies to avoid unintentionally exposing sensitive and private data to the general public.