The Capital One data breach that compromised the personal information of more than 100 million people in the US and 6 million in Canada may have been preventable had the credit card issuer taken more care in configuring the firewall used to protect the system from intrusions.
According to the FBI, Paige Thompson was allegedly able to break into data stored in the cloud, or remote servers maintained by their third-party provider Amazon, because the firewall was not configured properly to the specifications of the server. That enabled her to access folders of data in Capital One’s storage space. It is still unknown if while she worked at Amazon, she left an opening to penetrate the system or if she knew the configurations enough to enable her to breach the system.
Although they do not believe she used any of the information fraudulently, the issue of security misconfigurations remains top of mind for those utilizing cloud-based services and the relationship between IT and third-party providers.
Provider Security Breaches
It’s hard to tell how well cloud providers are protecting your data. Reading the terms of service will let you know if a company might intentionally use or disclose your data, but it won’t reveal sloppy internal security and a failure to follow security best practices.
Unfortunately, if your organization’s data is compromised, you could be held responsible, even if the provider is at fault. Businesses are required to safeguard sensitive personal information, particularly information governed by compliance regimes such as HIPAA, PCI or GDPR. Even if your cloud provider claims to be “HIPAA compliant,” that doesn’t necessarily protect you or make you compliant.
Lack of Data Encryption
Part of what made it so easy for Thompson to access the information was that the data was not encrypted. Encrypted data storage provides an extra layer of security for your information. If a hacker gains access through an alternate means like in the Capital One case where she claimed to use a special command to extract files in a Capital One directory stored on Amazon’s servers, they won’t be able to read it.
Encrypted cloud storage doesn’t come standard with most SaaS business software such as Dropbox, Office 365 and Google Apps (now known as G Suite). Many services encrypt data in transit — the information flowing between your computer and the cloud service — which is a great start. However, this protection is usually based on SSL/TLS encryption, which is vulnerable to attacks.
The cloud has changed IT security forever. You can’t just wall in your data with firewalls when your data is scattered all over the planet. You need a combination of layered security for your primary, secondary and archival data including strong encryption. Those layers will also include protections from both external and internal intrusions or malicious actors.
Storagepipe Can Help
At Storagepipe, we’re working hard to make cloud solutions even more secure. Our Veeam-based backup and recovery and DR services include local and offsite backup as well as encryption in transit and at rest to protect data. Encryption of data using enterprise-grade 256 bit AES ensures privacy and also protects data from exposure. We have also introduced Insider Protection for cloud recycling bin capability to protect against accidental or malicious deletion of backups and archives.
Combining these protections with our add air-gapped data archival services provides additional layers of protection for both short term and long term protection and compliance. Our DR as a Service (DRaaS) offerings protect mission critical systems and data from downtime and ransomware attacks with full system replication and failover.
Whether systems and data are in the cloud or on-premise, it does not change the fundamental needs to protect information and ensure availability for your business.
Be Safe in the Cloud with Storagepipe