Capital One dominated the headlines this week when they disclosed that they had become the latest hacking victim with a massive data breach this past March. Over 100 million people had social security numbers, bank account information, and other personal data exposed when a hacker got access to Capital One’s critical infrastructure running in AWS via a misconfigured firewall.
Email tip alerting Capital One to the data breach.
Since the story broke, many have rushed to ask how Amazon could allow this to happen. However, what most don’t realize, is that Amazon does not promise to secure your full system, nor have they ever claimed to. Amazon is very specific about security being a shared responsibility between them and their customers. Does this mean Amazon bears no responsibility in a breach like this? Not entirely (more on that later).
Responsibility of the User
One major issue is that the speed at which technology has become accessible has outpaced the general ability of consumers to wield it properly. Over the last 6 months, there have been hundreds of data breaches (that we know of), and the most common reason for these ultimately turns out to be human error. It can be people who are underqualified using complex and powerful tools they don’t fully understand or simply haven’t enough experience implementing. Or, they are being encouraged to push the technology in ways it is not engineered to support. As you have often heard…
“With great power comes great responsibility.“
But it’s not just underqualified users who misuse technology. Easy access to technology can give users a false sense of security, with the misperception that just because it is backed by a big name, then it must be tested and trusted and therefore fail-safe. However, every user must know their own, and the technologies’, limitations. They must be encouraged to ask for help. They must also realize that easy technology often comes at a price.
This happens over and over—easy access to complex technology has encouraged bad behavior, which when viewed from outside the bubble would be quite shocking. For example, would you ever print a list of your customers and leave it in a coffee shop? For most, this would be a clear violation of data safety. But, many people don’t hesitate to gather customer data spun up from a database or push data to cloud storage to view it somewhere else for deeper analysis. The justification for this action is always the same, “I am doing what I need to do to get the job done.” Employees crunch the numbers, analyze the data, and even get praise from their boss for a quick and timely analysis. But this data is now outside corporate oversite, and at risk.
“Fully Managed” by Cloud Providers
Cloud providers often use the term “Fully Managed” to market and position their solutions, but this can be harmful. People have different ideas on what being fully managed means, and it gives the customer a false sense that technology they don’t understand or systems they have no experience with will be managed in full by the provider.
This misrepresentation and misunderstanding leads the customer to overlook important details they would (or should) have taken note of if they were solely responsible for their systems. This also leads to a lack of client trust and lower customer satisfaction when expectations are not met.
Think about this—cloud services are designed to be mass-produced. Vendors are designing and building tools and infrastructure that, out of the box, have to meet the broadest baseline of demands. Therefore, when you are adding something designed for the cloud it is built for out-of-the-box simplicity and access for the masses. However, each application and workload is unique, so you will need to take something that is mass-produced and customize it to ensure your applications and data are secure, sage, and can scale.
How can cloud providers like Amazon help mitigate this issue? There are several ways. They can give users tools to validate and confirm they have not unintentionally left something open. They can educate customers that their version of fully-managed does not equate to 100% hands-off management or no customer responsibility. Finally, they can review how tools are being used and adjust the defaults to make things more secure in response to issues that occur.
You Got Yourself Into This… Get Yourself Out
There is immense pressure on companies to cut costs, speed up delivery, and do more with less. This pressure has encouraged people to find different—sometimes better, sometimes worse—ways of solving complex problems with technology. Automation and X as a Service (XaaS) providers offer a convenient and easy answer to quickly solve issues. Unfortunately, many people set up an environment and then move onto the next thing, forgetting that applications are living, breathing entities that evolve and change over time and thus require maintenance. Reliance on 3rd-party services can become a double-edged sword that lulls you into a false sense of security. The rapid pace of innovation and external pressures, combined with easy, often misunderstood tools, combines to create an environment where mistakes and human error can bloom.
Human error is unavoidable, and we can only hope to influence brand marketing, so now what do you do? There are some key steps you can take to put your company in a position to avoid major catastrophes.
- First, users need to trust but verify. Ask questions, understand the technology you are implementing, and learn the advantages and limitations to the systems you are integrating.
- Second, implement best practices and create a depth of defense. Preventing people from accessing systems with firewalls or access controls is a good start, but you should also plan for someone to get in both on purpose and by accident. Build and anticipate response scenarios to known threats as well as to random occurrences.
- Third, focus on the data. Simply getting into a system is not the real threat; access to user data is. Encrypt your data, then audit and look for any holes in how users access and disseminate the data. Set up alerts for any and all suspicious behavior, and build strong data policies to keep and maintain control in the long term.
- Finally, check all the doors. One of the main areas where outages and breaches occur is in untested and ancillary spaces that no one thought to look. In the case of Capital One, the data was in Amazon Simple Storage Service (S3) buckets.
S3 is marketed as a platform that allows you to “store your data and secure it from unauthorized access”. But, how you manage access and how you configure and set up your system is your responsibility, not Amazon’s.
So what happens? Sometimes, services like S3 are not used just in primary applications, but for offline storage, backups, and transient storage. These secondary areas are typically not tested and secured the same way overall applications are. A great deal of time is spent making sure applications are bulletproof, but oftentimes secondary systems are overlooked.
The gaming industry is a prime example. If a game launches and experiences issues, the game itself is not the issue but the integrated apps, such as leaderboards or matchmaking, that were left untested are determined to be the cause. It’s the same thing here—the app is tested and made secure, but the job to backup or load data in the app were not tested and are at risk.
Data breaches are becoming a common occurrence. However, with clear roles and responsibilities, better awareness, in-depth training practices, and a thorough examination of all your entry points, you can protect your business and your customer’s data from becoming an easy target.
For more on this topic, please check out Percona Founder and CEO Peter Zaitsev on the CXFiles Podcast talking about Data Security and CX. After the Capital One hack, how do you protect customer data?
About Percona
Percona delivers enterprise-class solutions for MySQL®, MariaDB®, MongoDB®, and PostgreSQL across traditional and cloud-based platforms, including Amazon AWS. As a leading provider of unbiased open source database solutions, Percona helps organizations easily, securely, and affordably maintain business agility, minimize risks, and stay competitive.
For more information, visit www.percona.com.
The title is somewhat misleading, the person that got their data copied (or stolen as some call it) didn’t really have a say in the matter.