Cloud Security: Lessons Learned from the Capital One Data Breach
2019 has already been rife with cybersecurity woes. Unfortunately, as we enter the second half of the year, things are going from bad to worse.
The recent Capital One data breach compromised the personal data of more than 100 million Capital One customer accounts stored in the cloud. The incident comes on the heels of the massive penalties levied against Equifax and raises a troubling question: are enterprises becoming too complacent about cloud security?
What’s in your cloud?
Attacks of this nature are nothing new. However, Capital One is one of Amazon Web Services’ (AWS) largest and most vocal customers. As Ashwin Krishnan, writing for CSO Online, points out, Capital One representatives appear regularly at AWS events, sharing best practices and touting Capital One’s migration from on-premises data centers to the AWS cloud.
Ironically, the recent breach struck at the heart of Capital One’s operations hosted within the AWS cloud itself. The hacker, Paige Thompson (a former software engineer for AWS), exploited a misconfigured Web Application Firewall and gained access to social security and bank account numbers, credit histories, balances, and more.
Ironically, Thompson used a well-known method for attack in which a server can be tricked into running commands it should never have been permitted to run. The intrusion exploits what has become “…the most serious vulnerability facing organizations using public clouds.”
“So, the question is,” writes Krishnan, “…if one of the savviest AWS customers can suffer such a large and embarrassing data breach, then every AWS (and non-AWS) customer should be concerned...and taking proactive steps to address what cloud security means and what it does not mean.”
Who owns security in the cloud?
With vast amounts of sensitive data at stake, how do organizations like Capital One find themselves in a position of complacency regarding their cloud security posture management?
The AWS shared responsibility model makes it very clear that security is a shared responsibility between AWS and its customers. AWS assumes responsibility for the cloud infrastructure, while customers are responsible for security in the cloud – such as patches and updates, configuration and management tasks, and managing data.
This is where Capital One went awry. The intrusion was the result of flawed configuration work performed as part of the bank’s own security responsibilities and discrete from the underlying AWS-secured infrastructure.
To be fair, Capital One is not alone, many cloud customers misunderstand the shared responsibility model or struggle with knowledge gaps as they transition from physical data centers to the cloud. When surveyed, only 10% of CISOs report that they fully understand the shared responsibility model while 82% of have experienced security events due to confusion in the shared responsibility model.
Lessons to be learned
As digital transformation drives more applications and data to the cloud, cloud customers must do everything they can to ensure their security postures — and those of third party partners — are as robust as possible.
Auditing checklists, like this one from AWS, can help with the task of assessing the security of cloud environments. However, they take time, provide only a snapshot of security risk, and are often a low priority for resource-constrained security teams and risk managers.
Organizations need a way to continuously monitor security performance on-premise and in the cloud without overwhelming security operations teams with alerts and actions with no easy way to prioritize them. Continuously and automatically monitoring cloud service providers and third parties can help security and risk leaders gain extensive visibility into key areas of cyber risk that correlate to a breach, such as compromised systems, unpatched software, and open ports. Monitoring can also reveal single points of failure by highlighting potentially risky service providers connected to a company’s vendors.
As new threats and vulnerabilities emerge, enterprises can instantly assess the impact on their own organizations and digital supply chains. With this knowledge in hand, they can prioritize remediation efforts as needed — without throwing more people at the problem.
Perhaps, most importantly, they’ll have the confidence to make faster, more strategic cyber risk management decisions, stay one step ahead of cyber attackers, and stem the tide of cybersecurity woes that continue to define 2019.