As reported yesterday and subsequently grabbing headlines across news outlets, a cyber risk analyst discovered extensive personal information, including political preferences, on more than 198 million US citizens hosted on a publicly-accessible cloud server. The server had no security or password requirements and the data was available to anyone who found the URL.
Public cloud services provide extensive security for their infrastructure but the organizations who use these platforms are responsible for securing access to their accounts and data. In this case a data firm contracted by a political party didn’t have basic security protections in place after a security settings update on June 1, which resulted in the exposure of deeply personal information on over 60% of the US population. The data was discovered on June 12 and the server was secured June 14.
Cloud services are an excellent business resource. They are flexible, scalable, and inherently great for enabling collaboration. Putting data into the cloud and allowing open access to anyone with the right URL happens. Users may do it on purpose, assuming these links won’t be found by anyone other than the recipient of the URL – a method of ‘security by obscurity’. It can be a simple mistake; users may not realize they are exposing data publicly because they are not familiar with the settings in a particular cloud platform. Even sophisticated users can make mistakes; for example, security settings are often ‘inherited’ within file sharing structures and a change in security settings in one place can cascade into unintended changes in other areas.
However it happens, exposing sensitive data via public URLs creates a high risk situation for an organization because anyone who finds the URL can access the data. The incident in the news this week is just one example of many.
A Cloud Access Security Broker (CASB) that can monitor, secure and control use of cloud applications could have prevented this mistake. Such a CASB could have: identified that this data was Personally Identifiable Information (PII), one of the most confidential and regulated data types; identified that this confidential data was exposed to public view; automatically prevented users from uploading PII data into a publicly accessible folder; and alerted the administrator of the cloud service that users were storing PII data in it.
The critical need to prevent and remediate these types of data exposures is motivating organizations to adopt CASB at a rapid pace. Gartner predicts CASB will grow five times faster than the overall information security market from 2015 to 2020.* And it is growing even faster than that at Symantec, which is why we are investing so much into developing our CloudSOC CASB solutions for both SaaS and IaaS and integrating those solutions with our extended family of enterprise security products such as DLP and encryption. The cloud is driving collaboration and innovation at a furious pace and security that can both protect and enable use of the cloud has become a critical requirement.
Learn more about CloudSOC to make sure your organization doesn’t make the same mistake.
* Gartner. Forecast Snapshot: Cloud Access Security Broker, Worldwide, 2017. 16 March 2017