Public-facing cloud storage buckets are a data privacy nightmare, according to a study released today.<\/p>\n\n\n\n
Members of Laminar Labs’ research team recently found that one in five public-facing cloud storage buckets contains personally identifiable information (PII) \u2013 and the majority of that data isn’t even supposed to be online in the first place.<\/p>\n\n\n\n
The information uncovered by the researchers includes physical addresses, email addresses, phone numbers, driver’s license numbers, names, loan details, and credit scores.<\/p>\n\n\n\n
“Because this data contains such highly sensitive information as loan details, Bitcoin addresses and conversations about unemployment benefits, we believe that this data has the potential to put the organizations to whom the information belongs at risk,” Laminar Labs said in a statement.<\/p>\n\n\n\n
“Organizations cannot properly protect data they do not know is exposed,” the company added. “And in the shared responsibility model, keeping this data secure is the responsibility of the organization that owns the buckets in which the data resides.”<\/p>\n\n\n\n
Also read: Cloud Bucket Vulnerability Management<\/a><\/p>\n\n\n\n According to Laminar, the sensitive data found online includes the following \u2013 it’s quite a list:<\/p>\n\n\n\n Companies need to know what publicly exposed sensitive data is in their environment, Laminar said. Still, doing so can be harder than it seems, since non-public Amazon S3 buckets can contain specific files and objects that are public \u2013 and conversely, buckets that are intentionally public, like hosted websites, can contain PII placed there by mistake.<\/p>\n\n\n\n The answer, according to Laminar, is a data-centric view rather than an infrastructure-centric one, cataloging all data in your cloud environment to ensure that sensitive information is kept private while public files remain accessible.<\/p>\n\n\n\n Also read: Cloud Security: The Shared Responsibility Model<\/a><\/p>\n\n\n\n Several other companies have warned of similar issues, such as UpGuard, which has detected thousands of breaches related to misconfigured Amazon S3 security settings over the past four years \u2013 including 1.8 million personal records from a database of Chicago voters<\/a>, 14 million Verizon<\/a> customer records, and GoDaddy<\/a> trade secrets and infrastructure information.<\/p>\n\n\n\n “As long as S3 buckets can be configured for public access, there will [be] data exposures through S3 buckets,” UpGuard chief marketing officer Kaushik Sen wrote in a blog post<\/a> earlier this year.<\/p>\n\n\n\n The Mitiga Research Team also recently found hundreds of databases containing PII exposed via the Amazon Relational Database Service (RDS). While RDS snapshots can be used to back up data, those snapshots can expose a range of highly sensitive information.<\/p>\n\n\n\n As the researchers noted in a blog post<\/a>, “a Public RDS snapshot is a valuable feature when a user wants to share a snapshot with colleagues, while not having to deal with roles and policies. In this manner, the user can share the snapshot publicly for just a few minutes… What could possibly happen?”<\/p>\n\n\n\n Also read: CNAP Platforms: The Next Evolution of Cloud Security<\/a><\/p>\n\n\n\n Among the data the Mitiga researchers found exposed between September 21 and October 20 of this year was a MySQL database with about 10,000 rows recording car rental transactions, including names, phone numbers, email addresses, marital status, and rental information.<\/p>\n\n\n\n Another MySQL database contained information on about 2,200 users of a dating app, including email addresses, password hashes, birthdates, links to personal images, and private messages.<\/p>\n\n\n\n The researchers recommend leveraging AWS Trusted Advisor<\/a> to assess your security posture, using CloudTrail logs to check for historical use of public snapshots, and separately checking for all currently available RDS snapshots.<\/p>\n\n\n\n “We think it’s not an overstatement to assume the worst-case scenario \u2013 when you are making a snapshot public for a short time, someone might get that snapshot’s metadata and content,” the researchers wrote. “So, for your company and, more importantly, your customers’ privacy \u2013 don’t do that if you are not 100% sure there is no sensitive data in the content or in the metadata of your snapshot.”<\/p>\n\n\n\n The risks of publicly exposing personal data are two-fold. The first is loss of customer confidence. And the second can be costly fines under data privacy regulations like GDPR and CCPA \u2013 see Security Compliance & Data Privacy Regulations<\/strong><\/a> for important compliance information on those laws and China’s new data privacy law too.<\/p>\n\n\nA Data-Centric View<\/h2>\n\n\n\n
A Pervasive Privacy Problem<\/h2>\n\n\n\n
Assume the Worst<\/h2>\n\n\n\n