With the recent announcement of AWS’s enhanced security capabilities for their S3 service, I expect that newsworthy data breaches resulting from misconfigured S3 buckets will be on the decline – a good thing for us all. But the recent Alteryx data leak is bubbling up a more fundamental problem that we all need to be thinking about.
Continually evolving cloud services are in the hands of more and more employees
The speed at which cloud services are enhanced by cloud service providers like AWS, Microsoft and Google, combined with the democratization of infrastructure deployment is a statisticians playground.
- AWS has released 1,300 new features to their services in 2017, up from a little more than 1,000 in 2016.
- Infrastructure is being deployed faster, by more people and with less visibility by IT Security than ever before. How many employees can deploy AWS resources in your company?
Cloud service providers are investing in making these deployments safer through more intuitive policy management capabilities, but there is still a lot of gray area for exposures to lurk – Alteryx being one of many examples where the gray area made it to the newswire.
The combo pack described above can’t be solved easily using the tools cloud service providers provide today, resulting in a continuing drum beat of data loss stories to come.
So, what to do?
While cloud configuration policies are still being developed – get some low overhead visibility
Many teams I speak with are still in the process of developing and rolling out internal policies for the who and how, as well as the configuration requirements of IaaS services and resources. My guess is Alteryx is in that process as well. My guess is also that Alteryx – along with their esteemed peers who have also found themselves on the front page – didn’t have enough visibility (or at least usable visibility) into all of the AWS resources in use and their associated vulnerabilities. And they clearly didn’t know the S3 bucket in question was exposed.
What if they had information and visibility like this?
…that all teams responsible for securing their clouds could see, use, and manage to…across all regions, all accounts & VPC’s
…that simply shows you where your specific risks exist…
…which would have told Alteryx that they had improperly configured their S3 ACL’s
…for only $49 per account per month?
Once your policies are stable – continually identify new services in use and new exposures
As we’ve all experienced, solid and well-executed policies are only one leg of the stool. Even with strong policy configuration requirements being perfectly executed across all teams, you have to keep evolving.
Enhancements to ubiquitous resources like S3 and newly launched cloud services are continually afoot…creating new exposure possibilities that weren’t considered in even the finest grain config management requirements. You have to keep up the visibility.
What if you could continually see newly spun up services, assets and their risks?
- Auto-discovery of new assets, their configuration state
- Continually run, without impacting your resource performance or AWS fee’s…
…for $49 a month per account.
Seems like a simple equation to me. Check out how Alert Logic’s Cloud Insight Essentials can help you avoid leaky S3 buckets, and other exposures from easy to mess up service configurations.