Sensitive documents from the US National Geospatial-Intelligence Agency…data on 14 million Verizon customers…voter information on 198 million Americans…Just a few of the reports this year on data breaches—or open data discovered by security researchers before a breach occurred—on Amazon S3 “buckets”.
Amazon’s AWS service offers S3, as simple, do-it-yourself cloud storage, with the option to divide data in up to 100 buckets on Amazon’s servers, each with different permissions and authentication rules.
Securing the servers is Amazon’s responsibility. Configuring and safeguarding the S3 buckets is the responsibility of the bucket owner. And that seems to be where things go wrong.
The S3 buckets come with strong security out of the box. But the owners end up misconfiguring the buckets, leaving their IP addresses wide open on the web for anyone to sniff out, using tools readily available on code repository sites. Further increasing vulnerability, many owners don’t encrypt their data.
FAIR Risk Analysis: Amazon S3 Bucket Security Case Study
Let’s create a case study about a large retailer that has 250 S3 buckets from Amazon. The S3 buckets are servers that need to be configured and secured by the retail company. They contain millions of records of data on customers who shop at the retailer on a frequent basis.
1. Start with Scoping – What’s the Risk (a.k.a. Loss Event)?
The S3 bucket is not the risk, though you might have read this in articles circulating around the web. The true risk here is a company misconfiguring and not properly securing the bucket.
There are 4 main elements to define in scoping:
The Asset at Risk
Something that may be affected, either by diminished value or by creating a liability for the owner. Applying that lens, it’s the data in the S3 buckets that we are concerned about.
The Threat Actor
When looking at recent breaches that are occurring in these buckets we are seeing the main threat as an External Malicious Actor. These actors are out for confidential data that they can sell on the black market.
In other words, what you are worried about happening. The three types of effects are confidentiality, integrity, availability (C-I-A). In this case, the effect would be “C”, a loss of confidential information.
The Loss Event
How much risk is associated with a breach of customer PII data in a misconfigured Amazon bucket?
2. Gather Data, Map It to the FAIR Model
Now that we have defined the loss event, we’re ready to dig in to the analysis by gathering data from experts within the organization (for instance, the incident response, business continuity, or disaster recovery teams).
The FAIR model provides the framework for our research. For any scenario, we need to understand the potential Magnitude (ultimately, the cost in dollars) and Frequency of losses, based on previous experience within the organization and the industry.
I would question the subject matter experts along these lines:
Loss Event Frequency or Threat Event Frequency
- How often does a cyber criminal attempt to steal confidential data from your S3 bucket storage solution?
- What kind of controls are in place around access to the S3 bucket?
- How often is a workstation with access to a bucket compromised?
- How many buckets does your organization have?
- What type of data is on your S3 buckets?
Ask the experts for accurate cost data, based on known costs:
- How many confidential records are in the S3 bucket (give a range to account for a population of these servers) and are they encrypted?
- Primary Costs – in this case, you would want to account for the time spent to remediate this event. Your organization may bring in management to establish a plan of attack or you may bring in investigations, legal, HR, and any other group that would be involved in a data breach.
- Secondary Costs – a.k.a. fallout: if these buckets contain customer information you will need to spend time to notify your customers and provide credit monitoring. Customer service centers will work overtime. You may experience some reputation damage as a result of mishandling your customer data. And customers may sue.
3. Run Your Results, Make Some Decisions
We’re ready to enter the data gathered into a spreadsheet or a commercial application such as RiskLens and use a Monte Carlo function to simulate a vast number of outcomes. The output is a smooth curve graph showing a range of potential losses in dollars on an annualized basis.
Final step: Compare the range to your appetite for risk and decide if risk controls are worth the investment. To protect against a breach of confidential information, controls may be to simply go back and correctly configure your AWS bucket or encrypt the data on the bucket.