An issue with accessibility caused headlines for Capital One
Disappointingly – there have been a number of reports, most notably in the Wall Street Journal, discussing the dangers of the public cloud, in particular for storage of data. On the 31st July there was a general tone of warning. But by the next day this had risen to general alarm that because Capital One was using AWS, then perhaps others using AWS are also vulnerable. However, of the companies mentioned in the article not all are AWS customers.
Much of the speculation is driven by the discovery that there was more that just Capital One data in the possession of the alleged hacker. First of all, given that this was an alleged hacker this should not come as a complete surprise. Second, let’s not jump to the conclusion that it is all because AWS is being used, in most cases.
Data security, or information security, is driven by two things; availability and accessibility. Availability is the practice of ensuring that data and applications are available to be used. That may be a tautology, but it is worth saying more than once. Accessibility is about making sure that only those people or functions that are supposed to access the data and applications do so. If these two things are assured then your company’s name will not appear in the Journal alongside the phrase ‘massive data breach’..
In the Capital One case – the principle of accessibility was broken – a person and a process that was not supposed to access the data did so. In fact, in the past week there is another story that is much closer to the Capital One incident and which has not been connected to it. On 5th August the challenger bank Monzo advised half a million of its customers to change their pins, after discovering a flaw in their data storage process which broke this principle of accessibility. Customer pin numbers had been stored where its engineers could access and decrypt them. Had there been criminal intent the story would have become much bigger than it has.
From the information that has been published so far on Capital One, we know that as server configuration issue was taken advantage of to allow access to hijack credentials, to then get to the data and siphon it off to a place it was not supposed to be.
This could equally have occurred in a server that was in a corporate data center, or a colocation center (third party data center). In most cases the breach would have been more severe if it were into a corporate data center where most of the protection against a breach is provided by a hard outer shell. Once inside there is normally relatively low levels of security between applications, meaning that other systems within the data center would be easy targets of attack.
In contrast, the quality of security between accounts at the major Cloud Service Providers is very high. AWS is a case in point where jumping between accounts is like moving between data centers – the protection is high between accounts. In many ways it is safer to store data with the major CSPs than anywhere else. The quality of their security teams is excellent, the physical security around the data centers is very good, and the support for using the resource that they provide is very helpful, and they keep all the elements of the environment current and fully patched. There is a discussion to be had about data concentration, data sovereignty and physical attack – and to hear more about that you can listen to episode 19 of the Cloudbusting podcast.
The responsibility for your data security is always yours – and there is always the risk of systematic issues causing problems, which is why patches are being constantly issued – but taking advantage of good tooling and process will help to increase the likelihood of keeping data out of the hands of those who should not have it.
I have no doubt that this story will run for a while – but please read all reports carefully, and don’t jump to the conclusion that there is a systemic issue with public cloud – remember that we all put our money in banks, in spite of the fact that they continue to get robbed – should we go back to putting our money under the mattress?