Just when you thought that the whole “globally readable Amazon S3 storage buckets” thing couldn’t get any worse, it did.
According to a study by a French cybersecurity firm which looked at 100,000 Amazon S3 buckets…
90% of buckets are private, and therefore not at risk of leaking data or being corrupted by attackers. Of course, that means 10% of buckets are public…
58% of those public Buckets (in other words, 5.8% of the total number of buckets tested) contained readable files, what might allow data leakage.
20% of public Buckets (or, if you prefer, 2% of the total buckets) are not write-protected.
Only a tiny 5% proportion of those public, write-enabled buckets (in other words, a mere 0.1% of the total) don’t contain any files.
This is pretty bad for the companies who own the 2% of buckets which are writeable – this could lead to data corruption, ransomware, etc.
The cloud is a great way to increase efficiency and integrate best of breed solutions into your business, but it requires that administrators be trained for the specific challenges of security in cloud computing. The information is out there – for example, Amazon has a page chock full of security advice.
Businesses should consider getting their employees trained and certified in the ways of the cloud either via vendor neutral certifications or, if you have chosen your cloud platform, via vendor specific certifications like Amazon’s and Microsoft’s.
The people who are plunging in to the cloud and messing up are making it harder for the rest of us who see the cloud as the future to sell its security to management – let’s get our acts together people!