Is it time for continuous ‘IV&V’ to ensure cloud security?
It is unfortunate to read about another data leakage incident from a DOD agency. The culprit appears to be an Amazon S3 storage bucket left publicly accessible due to an improper configuration setting. AWS offers a rich set of tools and technologies to help protect data and enable flexibility through policy based configurations. It is the users’ responsibility based on the shared security model to ensure that security best practices are followed and continuously monitored.
Sadly, this is not an isolated incident. It is very similar to another incident that occurred earlier this summer, when a security breach at Booz Allen Hamilton exposed sensitive NGA data and was extensively reported in the media.
Clearly, cloud platforms like AWS are heavily incented to protect and safeguard customer data. They provide a rich set of features and functions along with extensive materials to help users configure and deploy these solutions. For example, by default all S3 buckets are configured to be private and so it takes an explicit action to make them publicly accessible.