Amazon S3 breach underscores cloud data security needs

IntroCompanies that rely on public cloud providers and expect them to keep their data secure may be setting themselves up for trouble. Cloud data security concerns has become less of a reason for not adopting public cloud than it was in 2012, with 32% of respondents citing it as their reason to hold off on adoption versus 36% in 2012, according to TechTarget's 2013 Cloud Pulse survey. While cloud vendors strive to protect their customers' data because their business and reputation depends on it, mistakes do happen, said Christopher Stark, CEO of Cetrom Information Technology Inc., a cloud provider based in Vienna, Va. The recent Amazon Simple Storage Service (S3) security breach highlights just how important it is for IT pros to take responsibility for securing their own data. Encryption software is a good way to prevent cloud data security issues because once data is sent out to the cloud, organizations essentially relinquish control of it, said Lawrence Pingree, a security analyst at Gartner Inc., a research firm based in Stamford, Conn. Novati Technologies Inc., a nanotechnology acceleration center based in Austin, Texas, encrypts its data before sending it to Google Gmail, said Patrick Meyer, director of IT for Novati. "Any time I go to the cloud, I'm exposing myself to any number of data security threats I can't control, like social engineering attacks or someone I don't know accessing that data, even erroneously," Meyer said. "I want to minimize the risk of what happens to my data once it's out of my purview." Meyer migrated Novati's email system from an on-premises Exchange server to Google Apps last year because it cost significantly less than various Exchange deployment scenarios or Office 365. Novati had to first secure its data before sending it to the cloud because the company works with U.S. Department of Defense contractors and is required by federal law to comply with ITAR regulations. Meyer used CipherCloud, which provided Novati with an encryption gateway to send data from its datacenter to Google's servers. The data encrypted is stored with Google and essentially useless to anyone without the encryption keys -- including Google -- which are stored on-premises. "That encryption will protect our data if and when it ends up on an endpoint I have no control over," Meyer said. IT can also control the human element, such as "not using 'password' or '1-2-3-4' for your actual password," Stark said.

Amazon S3 breach: What's at stake?

Such measures are necessary because even the most secure public clouds are subject to security breaches. In the recent Amazon Web Services (AWS) S3 security breach, nearly 2,000 buckets on Amazon's S3 were left open to the public when those cloud storage accounts were not set to private. Some 126 billion files, including car dealership sales records, employee data spreadsheets, unencrypted database backups and videogame source code from a mobile game developer were available for anyone to access, according to a blog post by Will Vandevanter, a senior security consultant for Rapid7, a vulnerability testing company based in Boston. AWS sets S3 accounts to private by default, but accounts can be opened to the public manually by admins or as the simple result of misconfiguration. Though the security flaw wasn't a result of Amazon's error, Vandevanter wrote, it does indicate many IT pros have embraced the cloud without fully understanding the potential data security ramifications. AWS has warned its users that their files might be publicly accessible and plans to put measures in place to proactively identify misconfigured files and buckets moving forward, the company said. Hybrid clouds counter security concerns IT pros need to evaluate the business needs of controlling and securing their data against the potential cost savings of putting critical application infrastructure in the cloud, said Lawrence Garvin, a Microsoft MVP at SolarWinds, an IT software vendor based in Austin, Texas. Not all data is sensitive enough to warrant encryption, but large organizations could use a hybrid cloud model for application deployment to counter concerns about public cloud security. For example, the applications' front end would be hosted in a public cloud, but the data storage would remain in an on-premises database with a secured data pipeline connecting the two, he said. "That provides the line of business [with] more ubiquitous access across multiple devices or locations, while letting IT maintain control of that data," Garvin said. "There are plenty of models for IT so we can deal with data security issues but still provide that flexibility and access users want." The challenge would then be setting up the necessary network connectivity to support heavy data transfers and creating tight integration between the hosted application and the database, he added.