Cloud security & buckhammer
When the BBC news website reports on a ‘techy’ problem it effectively marks the point in time where the perceived issue has moved out of the domain of the geeks, techies, engineers etc. and into the public awareness.
The interesting addition is that when the BBC publish such stories it is also the first time that some in IT management are made aware of the issue!
Such stories tend to generate immediate knee jerk reactions and immediate backlash against the ‘technology’ that has made the headlines. Look to the recent CPU vulnerabilities, Meltdown and Spectre (that we talked about here), and the resultant anti-vendor sentiment for an example of that.
The latest ‘scandal’ is Buckhammer. And the response is ‘can you trust cloud?’
To summarise the problem: organisations and people have been storing data (files, images, everything) in the AWS S3 platform - a very cheap and ultra reliable (its not lost an object in the several trillion currently stored…) storage service.
The S3 service was originally built to hold assets for websites. Images, data, text etc. that makes up the content of websites. By its very nature it is designed to be public….. Of course over time it have become useful for very reliably (and cheaply) storing all kinds of information.
And herein is the issue: If you don’t understand how to work with S3, you can make information that you want to keep private become very, very public and this is where Buckhammer comes in. It scans the globe for S3 ‘buckets’ (storage locations) that are not properly secured and then exposes them and all their contents for the world to see.
This isn’t a problem if it grabs your company logo, or the contents of your ‘About Us’ page - because you want that information to be public.
What happens, though, if someone has put the company accounts information or sensitive client documents in a public bucket? If that information leaks it can be business-ending in some cases and fatal at worst.
Does this make cloud, and S3, less secure? ABSOLUTELY NOT!
What it does mean is that you need to speak to a managed service provider that knows how S3 works and how to make it work for your data.
You also need a managed service provider that can monitor who and what is accessing data in your S3 buckets and provide you with real-time intelligence and response capabilities to make sure that your organisation is not leaking confidential information.
Cloud, and in particular S3, is not the enemy. The enemy is poor governance and lack of knowledge and experience when it comes to building and managing cloud infrastructures. The enemy is also a lack of monitoring and intelligence to identify when something isn’t right.
The solution is simple - speak to an assured, audited and trusted managed services provider like Arcus who have a demonstrable track record in delivering and securing cloud infrastructures (including S3!) to the public sector.
Our expert AWS certified Solution Architects and system operation team understand exactly how to define the right security policies on S3 buckets and make sure that your private data never leaks out onto the internet.
Contact us today to find out more!