Leaky Cloud Buckets is the term used for occurrences of cloud data being exposed to the world, most often as the result of an misconfigured storage bucket, or container that holds digital data. Everything stored in cloud storage is contained in a bucket, organized to enable access and control of the data.
Although data breaches due to hackers and cyberattacks are what we most often hear about, the most common cause of a leaky cloud bucket is administrator error, and not the cloud providers involved, be they AWS, Microsoft, IBM, or Google.
Every public cloud storage service offers buckets, a term coined by AWS for the repositories that house data objects on the cloud. (Azure calls them ‘blobs’). These buckets may be configured by location, level of access, importance/sensitivity of the data, and several other options.
But there are two main attributes to these buckets that should not be ignored:
- Cloud buckets are by nature a shared service that resides outside of the virtual private cloud and firewall perimeter, and;
- Cloud buckets are based on object storage, which doesn’t enforce file system ACLs that have been used for years by organizations to define file-level granular permissions.
These inherent weaknesses, combined with the immaturity of cloud storage administration relative to the decades of enterprise IT experience with traditional storage, results in unprotected storage that is likely to fall prey in the hands of hackers who constantly run their scans searching for the next victim.
To lessen the risk that your organization is impacted by leaky cloud buckets, keep the following precautions top of mind:
1. Encrypt all data going to the cloud. An overarching rule of thumb here is that if your data is outside your walls, it had better be encrypted. Just as you wouldn’t access sensitive information over public wi-fi without a VPN, you shouldn’t use public cloud storage without proper encryption. If data is encrypted at rest and only people with approved, secure access have contact with the encryption keys, it eliminates a great deal of the worry about data exposure.
2. Generate and own your encryption keys. Bear in mind that if your data is encrypted at rest and only you have access to the encryption keys, then you have nothing to worry about if a storage bucket becomes exposed: encrypted data will be useless gibberish to any non-authorized user. Be sure to generate and manage your keys separately from any third-party service to ensure total data privacy.
3. Manage access permissions – Use a multi-layer access control system that starts from the access permissions of the bucket itself all the way to the file level for the relevant workloads, preserving permissions and connecting them to central directory authentication systems.
4. Lock down endpoints and offices. Use enterprise EMM/MDM tools to eliminate shadow IT and create secure productivity spaces within corporate-provided and BYOD devices. Leverage DLP software to monitor data-access patterns and find deviations that can detect data leakage.
5. Review security measures regularly. It is good practice to perform regular “pen tests” to evaluate your security posture and ensure no new leaks have appeared over time. This strategy will go a long way to confirm that there are no weak points for potential entry, especially when there is a change in network. It’s good practice to check and ensure no new leaks have sprung.
The advantages of storing information in cloud buckets easily outweighs the risk. Leaky cloud buckets can be an easy fix, with some consideration and attention to security protocols at the outset of storing data.