There’s been a disturbing trend in several security incidents of late where people lose control of bits of information that are, essentially, left lying around. This happens with storage in the cloud – you set up a quick container on the service of choice, push a copy of your files to the storage area… “just for the time being” and then go about your business. You might be storing a copy of that workbook you created, or of the data you used in the reports, or even just a quick copy so you can get to the information from your home computer…
The issue, of course, is that those areas that are used for temporary or not-s0-temporary storage have to be protected too. When you set up these storage areas, in some cases, it’s just too easy to create it, not go through the settings and leave it hanging open to the world.
There have been cases where S3 buckets (Amazon) were compromised because a bucket was left open with no security and people found sensitive information and were able to get very quick and easy access to that information. This has happened with many other services as well – it’s not a service-related item, it’s an education issue.
This is very reminiscent of other issues with storage options. It started with local copies of files, where people would save copies of their work to their local systems (and in many cases laptops) then lose the laptop or someone would gain access to it. From there, USB keys were a huge issue that weren’t on the data security radar for far too long. The idea that you could just throw in a key, quickly copy your information to the key to work on later, then take the key with you was extremely convenient.
Of course, it’s convenient for others that shouldn’t have access as well.
Now we’re facing a very similar thing with cloud storage. It doesn’t even have to be one of the big cloud providers. It could be one of the “box” or “drive” type services where you can quickly and easily copy information out to the cloud. I’ve seen people use this for copies of database backup files during a migration or for copies just in case or for moving information to a development or test environment. It’s a very easy mechanism and very handy for particularly large files.
One of the issue with this is that it’s not easily policed. It’s very difficult to lock down that type of connection out to the world. In many cases, these services have sought to make it extremely easy to use and that means going through standard ports and protocols and into making signup and setup a very easy process.
I think, again, it will come down to education. Helping people understand that that’s maybe not the best use of these services and that yes, bad people can indeed find that information use it in bad ways, is probably your first and best defense. From there, we’ll need to collectively figure out how to control access to these services.
The most successful approaches I’ve seen have been a sort-of drip approach. A consistent beating of that drum for security. Talking about it, teaching about it, talking about things that happen to others and how it can be addressed in your own environment. Most of all though, it’s keeping it front and center and making sure people understand the threat is real and extremely important.