Adopting a cloud-first strategy has become immensely popular in recent years. Companies which move their workloads to the cloud enjoy numerous benefits, including scalability, business continuity, and cost-efficiency. But despite its many advantages, the cloud can have some security challenges. This is especially true for data storage.
Diligence is Required
There have been many prominent security incidents involving cloud data storage. In 2019, examples included Cultura Colectiva, a third-party Facebook partner whose insecure usage of AWS exposed over 540,000 Facebook records. A marketing company in Mumbai failed to properly secure an AWS database with a password, and nearly 50 million user records of Instagram “influencers” (including personal data such as phone numbers and email addresses) were exposed. And one of the most notorious incidents of 2019 was the Capital One breach, where a Server-Side Request Forgery attack was used to obtain credentials for AWS data storage that included roughly 88,000 bank account numbers, 140,000 social security numbers, and one million Canadian social insurance numbers.
Sadly, it looks like the number of breaches in 2020 will surpass that of 2019. In Q1 alone, over 1.6 billion consumer records have already been compromised. One of the biggest incidents so far occurred in March, when a CyberNews research team discovered a publicly accessible server hosted on Google Cloud, leaving 800 gigabytes of personal user information and over 200 million detailed user records exposed for an unknown amount of time.
Do these incidents mean that the cloud is insecure? No—the cloud, when used properly, is no less secure than traditional on-premise architectures. But these incidents do show that unfortunately, it is easy to make mistakes and expose data in public-facing cloud storage.
Securing data on the cloud requires careful and proactive measures. This article covers some of the biggest security issues regarding cloud storage, including permissions, monitoring, and resource organization. It will then discuss best practices and the relevant solutions available on AWS, Microsoft Azure, and Google Cloud Platform.
Securely Using Cloud Storage: Key Considerations
There are three major tasks to consider when securing data in the cloud: organizing resources, enforcing policies & permissions, and monitoring & reporting. Each is vitally important.
Organization of Resources
Of the three tasks, this one is probably neglected the most often. Nevertheless, it’s essential to robust security. First of all, you can’t control access to your data if you aren’t clear about what data you have. Second, a good organizational scheme will make it easy to apply appropriate levels of permissions to the various categories of data. Conversely, maintaining data in sloppy or ad hoc collections practically guarantees that at least some of it will not be secured properly.
Organizing your cloud-based resources is a fundamental first step in tracking, managing, and securing your workloads. This includes best practices such as applying a thorough and consistent naming convention and resource tagging. These tags can provide a hierarchy of ownership, and as mentioned above, can also help enforce effective access control and organizational policies.
Policies and Permissions
Lax security policies for storage (especially incorrect permissions) are possibly the most common mistake in cloud security. Although the major cloud service providers (CSPs) have realized this, and have made it less likely for cloud users to accidentally expose data, it is still possible for inexperienced users to do so.
Fortunately, it isn’t that difficult to learn how to use the storage capabilities of your chosen CSP. With only a modest amount of effort, companies can set and enforce appropriate policies on cloud ownership, risk acceptance, and responsibility to limit who can access which assets and when.
Automated Monitoring and Reporting
Automatic monitoring and reporting allows you to flag anomalous actions within the system and prevent attacks in real time. For example, it can detect new internal connections that are unusual, such as a process communicating with a service it shouldn’t be communicating with. This process-to-process visibility is crucial in cloud security; it allows for the discovery of mistakes that were made in the other two steps, ideally before an actual security incident occurs.
Comparing the Big Three Cloud Providers
No matter where you choose to store your data, be it AWS, GCP, or Azure, each cloud platform has its own unique strengths and weaknesses. Let’s briefly discuss their capabilities in terms of the three steps described above.
Storage on AWS
AWS offers a broad range of services and tools to help elevate your security posture and protect data, applications, identities, and devices. Its offerings have been vetted and deemed secure enough for highly sensitive and top-secret workloads.
Resources here include Amazon S3 buckets, EC2 instances, and AWS CloudFormation stacks. Amazon’s resource groups can also be used to help manage a large number of resources that are interconnected, allowing you to perform bulk actions such as security patches and upgrades. It is also highly advisable to tag your AWS resources, allowing you to search, manage, track, and filter resources much more effectively.
AWS additionally provides a wide array of policy types and permissions as well as a default set of fully managed policies that help enforce best-practice policies without having to configure them on your own. Plus, it equips users with fine-grain identity and access controls. Permissions in AWS are granted to IAM entities (users, groups, and roles) to control users’ access to data. Permissions can also depend on various conditions. As for policies, you should assign these to a group of IAM users so that changes are made to multiple users at once, decreasing the risk of granting an individual too many permissions.
Finally, AWS enables 24/7 monitoring, ensuring in near real-time that resources are only accessed by the right people at the right time. Its security automation and monitoring services can identify anomalous activities such as configuration changes throughout your cloud environment. One of these services is AWS CloudTrail, which offers a detailed event history to facilitate security analysis.
Storage on Google Cloud Platform
Google Cloud Platform (GCP) offers unique services that help boost your cloud security and compliance. GCP’s Resource Manager allows you to organize your cloud resources hierarchically so that projects inherit their parents’ policies and settings. This allows users to easily manage access controls and configuration settings across entire operations, upholding the best practice of centrally controlling their company’s resources.
GCP comes with a wide variety of policies and permission services as well, including Cloud Identity and Access Management (IAM), which provides companies with a unified view and full control of access permissions. Advanced settings let users grant access not just on the project level but also based on more subtle parameters, such as IP address, security status, and date and time. In addition, the product comes with highly automated functions for managing groups and roles, enabling users to centrally grant default permission to multiple users.
You can also store, search, monitor, analyze, and alert on log data and events in Google Cloud via Cloud Logging. This service works seamlessly with Cloud Monitoring, which provides visibility into the activity of Google Cloud resources and services, such as Compute Engine, Cloud SQL, Google Kubernetes Engine, App Engine, and Pub/Sub, ensuring the overall health of your cloud-based assets.
Storage on Azure
Azure users benefit from Microsoft’s multi-layered security, which cuts across physical data centers as well as workloads in Azure Cloud. For organizing your resources, Azure comes with four built-in levels of management: management groups, subscriptions, resource groups, and resources. These can be leveraged to track, manage, and secure your cloud workloads. You can also use Azure tags to organize resources into a clear taxonomy.
Azure Active Directory allows users to manage identity and access controls. Using a single Azure AD instance gives you clarity and helps you enforce other security measures centrally to reduce security risks. There are many additional best practices to take into account when using service.
Azure is equipped with a wide variety of monitoring and reporting services, including Log Analytics, which lets users gain security insights, receive smart alerts, create dashboards, and enable automated actions.
Most companies today are turning to the cloud. But along with its numerous benefits comes a challenge: securely using public-facing storage.
Fortunately, there are clear steps you can take to use cloud storage correctly. These include gaining visibility and control of your cloud assets by organizing your resources, properly configuring permissions and access policies, and leveraging automated monitoring and reporting to detect and thwart threats in real time.