Are You Securing Your Data on the Cloud?

The discovery of millions of Facebook records openly exposed online as a result of the mishandling of Facebook’s third-party partners of their cloud data highlights the importance of the responsibility of organizations in securing customers data on the cloud.

Researchers at UpGuardreported that they found two data sets owned by Facebook partners, Mexico-based media company Cultura Colectiva and the now defunct “At the Pool”, exposing a total of hundreds of millions of Facebook customer data.

UpGuard found that the Cultura Colectiva data set exposed online 146 gigabytes, containing over 540 million Facebook records such as comments, likes, reactions and account names.

The exposed database backup of At the Pool, meanwhile, contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests and passwords for 22,000 users. The exposed passwords are believed to belong to At the Pool users rather than Facebook account users.

According to UpGuard, each of the Cultura Colectiva and At the Pool data sets was stored in its own Amazon Simple Storage Service (Amazon S3) bucket configured to allow public download of files. In terms of closing down the data sets from public view, UpGuard said that it was only after Bloomberg contacted Facebook that the exposed Cultura Colectiva’s Amazon S3 data set was closed from public view. At the Pool’s Amazon S3 data set, on the other hand, was taken offline at the time UpGuard was looking into the data origin.

Growing Incidents of Misconfigured Cloud Storage and Backup

While the exposed data sets weren’t hosted on Facebook’s servers, but hosted on the Amazon S3 accounts of Facebook partners and the exposed data didn’t involve sensitive information such as financial and Social Security numbers, these two cyber incidents put a spotlight on the need of securing data on cloud storage and backup.

According to UpGuard researchers, they found publicly exposed 100,000 Amazon-hosted data sets which aren’t supposed to be public.

“The public doesn’t realize yet that these high-level systems administrators and developers, the people that are custodians of this data, they are being either risky or lazy or cutting corners,” Chris Vickery, director of cyber risk research at UpGuard, told Bloomberg. “Not enough care is being put into the security side of big data.”

Greg Pollock, vice president of product at UpGuard, told CNBCthat Amazon S3 buckets usually have a name. When these Amazon S3 buckets are configured incorrectly such as from private view to public, he said, anyone guessing the names of these buckets using a browser could find online these misconfigured cloud storage and backups.

Another example of cloud data unintentionally exposed to the public is the exposure of Tesla’s Amazon S3 bucket, which led to the illegal use of Tesla’s cloud computing resource for cryptocurrency mining.

“The hackers had infiltrated Tesla’s Kubernetes [a tool for managing a network of virtual machines] console which was not password protected,” said RedLock, the organization that discovered the Tesla breach. “Within one Kubernetes pod, access credentials were exposed to Tesla’s Amazon environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.”

Cloud Security Best Practices

Cloud services, not just by Amazon but also that of Microsoft, Google and others, have enabled organizations to run with ease applications and store troves of data in the cloud. Some data stored on these cloud services are meant for public viewing such as cache of photos or other images stored for use on a website, while other data are meant for authorized individuals only.

Customers of cloud services have the option or allowed to configure the data to be shown to the public or for private viewing only. The recent reports about data exposure due to the misconfiguration of cloud data to public, instead of private viewing, have shown that securing cloud data is a challenge for some organizations.

“Amazon customers own and fully control their data,” Amazon said, in response to the recent data exposure. “When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here. While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.”

Monitoring configurations, monitoring network traffic and application access are some cybersecurity best practices that prevent or mitigate cloud data from unintentional public exposure.

When you are looking for truly secure and monitored cloud storage, reliable solutions for your business are a phone call away. Contact ustoday and protect your data in the cloud.