Sunshine, sandwiches, scenic views, and not a care in the world besides the occasional wasp. Everyone loves a picnic.
Unfortunately, the same cannot be said for PICNIC, an enduring acronym in IT circles standing for Problem In Chair, Not In Computer. The term, dating back to the 1980s, was first employed by frustrated IT professionals weary of dealing with computer problems arising from user error rather than any actual issues with the technology.
Such challenges still exist today although, increasingly, they are migrating to the cloud. Data breaches resulting from cloud misconfigurations can have dramatic consequences. For example, the Capital One breach earlier this year affected more than 100 million records.
In most cases, these breaches are not the result of a particularly skilled threat actor or any advanced exploits or malware. Instead the door is left wide open through human error. Unfortunately, such cloud security issues are the result of poor data protection practices. For instance, sensitive information may be stored in unencrypted form or access permissions not locked down properly.
The Capital One data breach, first reported in July, is a particularly powerful example of how poor practices can trigger a major security crisis. The incident saw customer data including more than 140,000 social security numbers, one million Canadian social insurance numbers, 80,000 bank account numbers, and an unknown quantity of customer names and addresses accessed by Paige Thompson, a former software engineer at Amazon Web Services. It has been estimated that the breach could cost the company upwards of $150m.
The breach was made possible by a misconfiguration of the web application developed by Capital One, and not the underlying Amazon cloud-based infrastructure. Amazon also stated that the perpetrator’s specialist insider knowledge was not a factor, but rather the breach could have been carried out by anyone who stumbled on the misconfiguration.
Similar breaches have occurred at Fedex and Californian car dealership services provider Dealer Leads. Indeed, cloud-based data breaches caused by user errors are becoming so frequent that the PICNIC acronym might arguably be updated to stand for Problem In Company, Not In Cloud.
How can firms reduce the threat?
Because cloud-related mistakes can potentially expose businesses to huge and costly data breaches, organisations must do much more to mitigate the risks. It’s very difficult to remove the risk of human error entirely. Organisations need to ensure they implement robust policies to protect sensitive data in the cloud, as well as the right tool to manage them.
An audit is a good place to start. It is impossible to keep sensitive data safe if a company isn’t aware of what information it owns or where it is kept. Many organisations have spent years hoarding as much data as possible, and it’s all too easy for them to lose track as they expand and change their infrastructure.
Audits can help the enterprise get its house in order. Their disciplined approach lets organisations locate and classify any and all sensitive information spread across on-premises and cloud servers. Audits are especially good for identifying data that is governed by regulations such as the GDPR and PCI-DSS.
The challenge with built-in classification capabilities present in many cloud-based solutions is that rule creation and tagging is often a labour-intensive, manual process. For this reason enterprises should look to automate this process as much as possible.
Introducing a least privilege approach
Companies should also adopt the principle of least privilege. The least privilege model dictates that all users should only be able to access assets and resources required for their job role, significantly reducing the risk posed by external threat actors and, equally importantly, unauthorised insiders like Paige Thompson. Organisations that take a least privilege approach for on-premises data, should extend the practice for their cloud data, particularly in hybrid environments.
The situation is not helped by the management capabilities built into certain cloud-based services. Some offer only limited permissions visibility and lack centralised controls for making changes to them. Ideally organisations should have a holistic view of user permissions, and the ability to sync access rights across their environments.
It is also important to involve data owners when reviewing permission rights, but this is something else that is not easily achieved with cloud solutions. Automating the entitlement review and authorisation workflow processes can help to save time and make it easier to keep control of data access.
Ongoing visibility is key
Setting up the right processes and policies is only the beginning. To remain secure, organisations need constant insight into how sensitive assets are being accessed, and by whom. Aside from the vast scale of the data involved, one of the most striking aspects of the Capital One breach is it was only discovered after the perpetrator bragged about it on Slack.
Without tools that give clear visibility of who has accessed what information and when, organisations that make a mistake when configuring a cloud deployment will continue to be vulnerable to breaches of sensitive assets.
The risk of human error is unlikely to go away any time soon. However, organisations that regularly audit their sensitive data, adopt a least-privilege approach and use centralised visibility tools can drastically reduce the risk of PICNIC ruining their cloud security.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.