S3 data exposure highlights security risks in the cloud

The cloud provides huge benefits when it comes to agility and scale, but it also can cause major headaches and problems for businesses. The latter was evident last week when Deep Root Analytics, a data management platform provider, suffered from a data leakage.

The leak resulted in data exposure of more than 198 million American voters. According to UpGuard, a cyber-resilience platform provider whose analyst discovered the leakage, this is the largest data exposure of its kind.

“The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust,” UpGuard wrote in a post. “In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as ‘modeled’ voter ethnicities and religions.”

The data leakage stemmed from Amazon’s Simple Storage Service (Amazon S3). S3 is a cloud storage solution designed to store and retrieve any amount of data on the web. According to Adam Conway, head of product for the cloud computing company Bracket Computing, Deep Root Analysis misconfigured an S3 bucket (storage unit), leaving it open to the public and unencrypted. This is not the first time an organization has suffered from an S3 exposure. Just a couple weeks ago Upward discovered sensitive files associated with the U.S. military were exposed, Gizmodo reported.

“Accidentally setting S3 buckets to public is a very common issue, but is different than the downtime issues Amazon has dealt with in the past. Configuration of buckets to public or private is the customer responsibility, not Amazon’s,” said Conway.

The problem is that while AWS gives its customers control over their data, that control can introduce risks and can leave buckets open due to simple configuration errors, Conway explained.

This insecurity or vulnerability in the cloud continues to be an issue. Gartner recently stressed the importance of  protecting cloud workloads. “Server workloads in modern hybrid data centers use private and public cloud computing and require a protection strategy different from end-user-facing devices. Security and risk management leaders should use risk-based models to prioritize evaluation criteria for cloud workload protection platforms,” Gartner wrote in its report.

Conway believes organizations should operationalize new best practices if they want to avoid costly security issues. Best practices include: “First, encrypt everything. Implement separation of control to give developers access to APIs but have IT and/or Security retain a seat at the table when deciding security controls,” he said.

Since the leak, Deep Root Analytics has acknowledged the issue, updated its access setting, and implemented new protocols to prevent any further access. The company is currently conducting an internal review and thorough investigation into the incident. At this time, Deep Root takes full responsibility and does not believe a hack attack has occurred.

“Cloud provides incredible developer freedom, but self-service with no IT controls is a recipe for a data breach or leak. Organizations should put sensible controls in place to ensure that their data is protected on self-service environments,” Conway said.