This blog is the first of our Ionburst series overviewing the benefits and challenges related to object storage in the Cloud. It considers the accompanying data privacy and security concerns, highlights examples of Cloud object storage leaks, and describes how Ionburst alleviates these concerns to put organisations back in control of data privacy and security.

This short series will cover:

  1. Setting the scene: Data privacy implications for Cloud object storage and the Shared Responsibility Model;
  2. How cloud object storage leaks happen in detail, and the extreme extent to which they occur;
  3. How Ionburst uniquely plugs the gap in the Cloud data privacy model by enabling customised organisational control over the privacy of data.

SETTING THE SCENE: DATA PRIVACY IMPLICATIONS FOR CLOUD OBJECT STORAGE AND THE SHARED RESPONSIBILITY MODEL

The “Cloud” is undoubtedly now a mainstay word in the modern technology, business and consumer vernacular. The growth of Cloud computing has been nothing sort of mesmeric, with “new kid on the block” AWS catapulting beyond computing behemoths such as Microsoft and IBM, morphing from online retail marketplace to omnipresent Cloud services provider.

The benefits of scale, agility, flexibility and access to multiple services have understandably driven the case for exponential Cloud storage growth. In contrast, the data privacy and security considerations, and the implications of the shared responsibility model adopted by Cloud providers such as AWS[1], Microsoft[2] and Google[3] are less understood.

Of the many and wide-ranging advances in public cloud computing, arguably one of the most well-known and widely utilised technologies is object storage. Cloud object storage services like Amazon S3, Microsoft Azure Blob Store and Google Cloud Storage have made it simple for developers and organisations to integrate scalable storage into their applications at a lower cost than previously. This has enabled and simplified workflows and use cases like:

  • Backup and Recovery;
  • Data Archiving and Compliance;
  • Big Data Analytics;
  • Hybrid Cloud Storage;
  • Cloud-native Application Data Storage;
  • Disaster Recovery.

However, these benefits and improvements introduce an increased attack footprint for data stored. This is due to the proximity of the object storage services to the public internet, and the minefield of permissions, policies and configuration options that can leave data exposed publicly.

Why is this important? Well, our healthcare, financial, private memberships and family digital assets are likely stored in the Cloud. It’s a big business. For the good and the bad guys.

At its simplest, object storage is a data storage platform that manages and stores data as distinct objects, rather than as files or blocks found in other storage platform types. This abstraction benefits users who only have to consider their data storage requirements, removing the administrative or management burden of NAS (file-level storage) or SAN (block-level storage) platforms.

Data stored on an object storage platform is typically held in resources known as  “buckets” or “containers.” Misconfigurations of these resources leaves data exposed to unauthorised discovery and theft.

Most worryingly, these security concerns are far from theoretical. There have been many data breaches associated with Cloud storage to date. Despite the best efforts of existing security technologies and techniques, high-profile data leaks continue. In January 2020 for example:

  • Researchers discovered personally identifiable information (PII) relating to thousands of UK-based consultants in a publicly available Amazon S3 bucket;
  • Almost 20 Gigabytes (GB) of data belonging to an adult website was discovered in a publicly available Amazon S3 bucket, with some of this data being PII relating to performers;
  • A company supplying software to cannabis dispensaries was found to have exposed more than 30,000 records containing PII from a publicly available Amazon S3 bucket. More worryingly, as some of these records related to the purchase of medical marijuana, there is potential for protected health information (PHI) to be exposed, a federal crime under the US Health Insurance Portability and Accountability Act (HIPAA).

Critically, these breaches were not failures of the Cloud provider. They resulted from poorly scoped or misconfigured end user permissions applied to object storage buckets. This is the challenge for end users organisations arising from the Shared Responsibility Model (SRM).

The SRM describes the division of responsibility and ownership between a Cloud provider and its customers. For object storage, the Cloud provider is responsible for managing and protecting the underlying infrastructure of the storage service.

Crucially, customer data ownership is never in question. The customer is responsible for managing its data, and the permissions or policies that govern access to that data.

For their part, Cloud providers provide all the necessary controls required to ensure data stored is not publicly exposed. However, the prevalence of data breaches involving Cloud object storage suggests a problem.

Either end users find these controls too complex to implement, believe they are not needed, or don’t understand them. Whatever the reason, organisational data privacy and security are impacted, exposing organizational secrets, customer privacy and reputation value.

Or, as the old nursery rhyme goes:

There’s a hole in my bucket, dear vendor, dear vendor…