Recently, on Wednesday July 12, Verizon confirmed the personal data of roughly 6 million customers has been leaked online.
The security breach, discovered by California-based cybersecurity firm, UpGuard, as CNN states, was caused by, “a misconfigured security setting on a cloud server due to “human error.’”
ZDNet first reported the story, revealing Nice Systems, an Israeli tech giant analyzing customer support data for Verizon, left an Amazon S3 bucket they controlled unprotected.
The leaked data, comprised largely of customer records and their log files over the past six months, includes personal information like customer names, cell numbers, and account PINs – which, if acquired, would allow a hacker complete access to a customer’s account. The leaked records also contain hundreds of other fields of sensitive personal data like home addresses, email addresses, and account balances.
But Verizon’s cloud security breakdown is like many others we have seen in the recent past – at least in its originating problem. It comes as just one incident in a long list of leaks and breaches resulting from the same root cause: human error.
Reducing human error
In its early days, public cloud naysayers harbored skepticism around its security because of its intangible and Web-based nature. With those misgivings having been thoroughly diffused, many in IT now see the cloud as the obvious choice when it comes to security. And with the ability to write, automate, and consistently enforce security controls within infrastructure, this is no surprise.
There are two principle methodologies that serve as the foundation of cloud security and infrastructure management: Infrastructure as Code and Security by Design.
In order to reduce the possibility of human error and avoid costly data breaches in the cloud, businesses must learn to master both.
It’s all software
Infrastructure as Code (IaC), which originated not long after the launch of Amazon Web Services (AWS), is centered around one core idea – treating infrastructure as software. Through the API-based paradigm of public cloud platforms like AWS and Azure, enterprise IT teams can completely remove manual tasks like configuration management and change management.
Rather than having to maintain and patch individual servers or applications, engineers can orchestrate and provision infrastructure with the same tools developers use to design software. Operations teams can then harden these code-based orchestrations into templates, using configuration management tools to manage things like version control, continuous integration, deployments, and rollbacks evenly across environments.
Through writing infrastructure as code and enforcing operations consistently throughout, manual maintenance is far less needed, drastically reducing the risk of human error or configuration drift.
“Design into,” not “apply over”
Using much of the same foundational principles as IaC, Security by Design (SbD), or Security Automation, is an approach to cloud security centered around treating security as code, and designing settings and controls into your infrastructure, rather than applying them to it.
When building an SbD framework, infrastructure must be formalized, or “templatized”, much like with IaC methodology. Once formalized, security aspects like permissions, logging, identity and access, and other settings can be designed, or written into the infrastructure.
From there, since security controls essentially function as software, management of tasks like provisioning, configuring, and patching can then be automated through configuration management scripts. Like IaC, this enables fully consistent enforcement across environments.
Adopting and implementing Infrastructure as Code and Security by Design takes time, and can pose a number of complex IT challenges. But implementing both in your cloud strategy can reduce the risk of human error – even the small ones. Because if there is one thing Verizon’s data leak affirms, it’s that small human errors can lead to huge ramifications.
For more insight, check out Ensono’s article on security best practices in AWS.