Cloud Security with Object Storage
Many cloud providers are often criticized for the security provided with object storage services. Even more after the disclosure of private information that occurred in 2017 by using these services. These security breaches were also from well-known organizations such as Verizon, Accenture, Booz Allen Hamilton, Viacom, National Security Agency, National Credit Federation, Australian Broadcasting Corporation, Department of Defense, Republican National Committee, etc. There are often new organizations to add on this list but they are the main one from the last months. These organizations were mainly using the object storage service S3 from AWS.
This is not a technology only provided by AWS with the S3 service. There are many services provided by other well-recognized cloud providers to store files in the cloud such as Azure, Google Cloud, DigitalOcean, IBM, etc. However, AWS S3 is definitely the object storage service that is the most used by many organizations. The service was also first released in 2006 before other services from competitors. The statistics are a little bit old but as of April 2013, AWS mentioned that S3 has more than 2 trillion objects stored with 1.1 million requests per second. In 2018, it is possible to assume these numbers are even higher.
Amazon S3 is often wrongly targeted by the media. It is simply the most popular service used by many organizations of all size. We have to keep in mind that object storage is only a way to store files, often with a cloud provider but it could also be with a private infrastructure.
I often read some IT professionals and even information security professionals to have doubts on these services. Mainly doubts on the security measures available to protect the information stored. It is important to understand that security breaches related to object storage are often not related to the underlying technologies. Cloud providers such as AWS, Google and Azure are able to provide secure environment for your files. The configuration for such spaces, or buckets in S3 terms, is secure and private by default. How is it possible in this case to have public files on the Internet?
Simply ask your IT administrators. It is more a question of misconfiguration. In order to authorize a public access to the stored files, someone actually needs to perform a manual action to change the default behaviour. The approach would be different for each service but the principle is the same. It is possible to manage accesses on S3 with rules but other services could be simpler with an option to be set at “Private” or “Public”. This is often a configuration available for the space and/or per file.
Maybe it is the time to review the accesses implemented for your files stored in the cloud? From object storage services like S3 but also on services like Office 365, Dropbox, Google Drive, etc. It is so easy to forget about a file that should not be available for all on Internet.
Are you aware of your third-party vendors who could use object storage with your information? For example, with Verizon and Republican National Committee, in both situations, third-party vendors were involved i.e. Nice Systems and Deep Root Analytics. Organizations easily trust more and more third-party vendors and share confidential information. This data can be about the organization operations but often on clients. Nevertheless, it is important to evaluate the information sent to external vendors and to understand how this one uses the data.