1 in 6 Amazon cloud users put data at risk

Many organizations are relying too much on their vendors for cloud security, according to a recent study from security researchers. 

One in six users of Amazon’s popular S3 cloud storage service have opted to set portions of their data as public instead of private, according to a report from security firm Rapid 7.

The problem is a configuration error. Amazon’s cloud storage service allows users to organize their content into groups called buckets, which can be easily accessed at predictable URLs.

Those buckets can be set as either public or private. If it’s public, a bucket will list the names of the files stored in the service, whether or not the files can be downloaded by the viewer, after simply entering the bucket’s address in a web browser.

That’s dangerous because, as Rapid 7 points out, it makes it much easier to unauthorized people to download unprotected files, and the file names themselves can reveal sensitive information even if the files can’t be downloaded.

And it turns out many buckets are set to be public when they probably shouldn’t. Among the 12,238 Amazon buckets Radio 7 analyzed, 1,951, or about one out of six, were public. Some of the information researchers were able to find in those buckets included:

  • Sales records and account information for a large car dealership
  • Affiliate tracking data, click-through rates, and account information for clients of an advertising agency
  • Video game source code and development tools for a mobile gaming firm
  • Sensitive personal information about various companies’ employees, and
  • Various files containing usernames and passwords.

Don’t rely on others for cloud security

The companies that own those buckets of data appear to be breaking one cardinal rule of cloud security: relying on cloud computing vendors to keep data secure.

The fact is that most vendors don’t believe that cloud security is their job, and in addition to properly vetting providers to make sure their systems are secure, companies need to take some steps of their own to protect data in the cloud.

Some of the key steps to take for cloud security:

  • Pay close attention to how a service is configured to find potential causes of data breaches
  • Encrypt data in the cloud, as well as when it’s transferred to and from the cloud service
  • Manage users’ access to cloud service and enforce strong password policies, and
  • Regularly audit and test cloud services to find possible security vulnerabilities.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy