How Capital One Illustrates the Need for Cloud Configuration Visibility
July 30, 2019
By now, we all know the story – the personal data of 106 million Capital One card customers and applicants was accessed by a hacker, making it one of the largest data breaches of a financial institution. We’re already seeing a cottage industry being built around “what’s in your wallet” memes, and just when the penalties of the two-year-old Equifax breach are coming to light, the security realities of operating in the public cloud are baked into our brains; no longer is this esoteric stuff. Rather, it’s common, frequent, and it is now driving major economic decisions as organizations seek to avoid the negative fallout from these kinds of breaches.
An interesting wrinkle is that this particular hack was perpetrated by a former AWS employee, Paige Thompson, who posted the private data in a GitHub repository, where it lived for four months before it was discovered. While investigators are still trying to understand the timeline of events, it’s been determined that the data was accessed through an open S3 bucket, and published as a file with more than 700 folders and “buckets of data.”
Charles Barkley will protect the paint, but not your data
The data in question included names, email addresses, Social Security numbers, bank account numbers, credit scores, payment histories, self-reported income, and other private information. Unlike the Equifax breach, where finger-pointing broke out immediately, Capital One has copped to the issue and accepts the blame for having an improperly configured firewall.
Nonetheless, this is clearly a wake-up call both for companies that store data and operate workloads in the cloud. The Wall Street Journal estimates that Capital One’s legal bill could be as high as $150 million, but that doesn’t take into account the erosion of trust among customers, and a black eye to a brand that has spent hundreds of millions of dollars in marketing and advertising. No word yet if they will be able to retain the services of Charles Barkley. Many are hoping they will not.
Cloud security, shared responsibility, and data protection
We’ve seen this before, and we’ll see it again. In the spirit of innovation and transformation, Capital One adopted the strategy of many enterprises who have moved fast to migrate to the cloud. While speed may or may not have anything to do with, this case illustrates the fact that cloud (and multicloud and hybrid) environments are complex. Yes, they’ve been sold as a way to reduce overhead and increase all manner of efficiencies, and there’s no doubt they do these things, but they also bring a model of continuous change and the need to manage all that change. When that doesn’t happen correctly, and the scale at which cloud environments change is beyond anything that even massive numbers of humans could maintain, configurations aren’t watched, access is not controlled, and oversights become crushing problems from which disentanglement is nearly impossible.
“Through 2022, at least 95% of cloud security failures will be the customer’s fault…”
While Gartner is never one for hyperbolic restraint, they make an important point with this comment. CISOs and security team leaders understand the shared responsibility model, but the magnitude of what it means in terms of owning the security of their own data is almost impossible to conceive. As a result, stuff gets missed. Some of that stuff may seem inconsequential – server configurations change, well, isn’t that inevitable? It is, but that small change can result in massive implications if it provides too much access or prevents the ability to see data flow.
Capital One appears to be handling this issue a very un-Equifax-like way; they are trying to get ahead of the story by taking responsibility and cooperating. But brand value and company reputation are at stake all the time, especially in an age where data is among the most valuable corporate assets they own. CIOs and partner executives need to begin demanding that partners abide by the following at a minimum if they want to continue their relationships:
- Apply best practices for configurations across their entire cloud surface to ensure proper security measures are used for all layers of the cloud stack.
- Conduct regular audits of their security and compliance posture.
- Use a continuous cloud security and compliance monitoring solution, and apply an automated incident response to ensure they are effectively made aware of vulnerabilities and delivering rapid remediation and fixes.
Cloud workload and container visibility
Configurations are where so many vulnerabilities get started. Servers, buckets, virtual machines, applications, and other resources change configurations and settings in order to meet business needs and adapt to the integration with other data sources. It’s part of the dynamic nature of the cloud, but it’s also like a constant and continuous game of hide-and-go-seek.
It’s also critical that organizations have insight into their cloud accounts and workloads and container infrastructure. Without insight, the organization is prone to information gaps that prevent their ability to detect misconfigurations, policies not being enforced, or other issues that could easily lead to a breach.
The solution to these potential gaps in cloud security is one that monitors and logs all inter-process activities, even those occurring inside the same file. You need a host-based intrusion detection system designed to monitor process hierarchy, process and machine communications, any changes in user privileges, internal and external data transfers, and all other cloud activity. An effective system looks across all layers, and it analyzes activity based on normalized behavior, which gives a continuous real-time view even across short-lived services that may only exist for a few minutes. Having that process-to-process visibility is a critical factor in having strong, effective security built into any cloud environment.
I’m sure it won’t be long before we read about another partner security breach, but I’m hopeful that as organizations increasingly recognize the value of their data and their relationships with customers, the more we’ll see action towards sustainable solutions to this problem.
Photo by Jens Herrndorff on Unsplash.