Many of us woke up to the news that the data of 100 million people were exposed when Capital One’s Amazon servers were breached by Seattle-based hacker.
While information about the specifics of the breach may never be known by the public, this staggering data loss is exceptionally instructive for organizations moving critical systems the public cloud — that is, virtually all organizations.
In obtaining the tens of gigabytes of personal data, based on the FBI’s complaint the attacker appears to have penetrated a system that had stored credentials (in the FBI complaint they refer to them as IAM-WAF credentials, so the compromised system may have been a Web Application Firewall) to obtain privileged access to the Capital One applications. Once inside, the attacker used encrypted channels to exfiltrate the data. In short, the root cause was a configuration vulnerability.
So what can we learn from this?
First, the Capital One breach doesn’t highlight a technological vulnerability in Amazon or other cloud infrastructure. It highlights a configuration vulnerability. Put simply, clouds are pretty secure, but cloud providers don’t stop enterprises from vulnerable configurations.
Secondly, this breach highlights the most critical concept in protecting cloud-based applications — that cloud security is a shared responsibility. As Amazon themselves highlight on their site, the cloud provider and the enterprise both must contribute to the security model.
When you host your applications on-premise, you are responsible for controls related to physical security. In the cloud, Amazon handles all of this. They ensure that physical hardware and datacenters are safe, secure, and compliant. But what happens within your cloud workloads, thats your responsibility.
So when considering cloud security, it’s important to realize that the cloud is more like a bazaar than a walled garden. Like a merchant in a bazaar, enterprises in the cloud share common outer controls (Amazon infrastructure) but have full responsibility for protecting their individual stalls (your application, workload, or data storage).
In the case of Capital One, a misconfiguration lead to privileged access to a workload that contained a tremendous amount of personal data.
Could A Cloud Workload Protection Platform (CWPP) Have Prevented This Breach?
As outsiders, we can’t know for sure. But it’s reasonable to assume that a comprehensive cloud workload protection platform strategy would have made this type of breach extremely difficult and far easier to detect.
Cloud Workload Protection Platforms pick up security and compliance where the cloud providers leave off. They offer multi-cloud security for the parts of cloud applications for which the enterprise is responsible.
While CWPP products vary in terms of comprehensiveness, a full spectrum workload protection platform offers the following capabilities that would have defended against the Capital One breach.
- Looks for stored credentials and monitors and can block the use of cloud provider credentials to access resources like S3 storage.
- Looks for suspicious sources of access and data egresses like TOR nodes and anonymizing VPNs.
- Prevents exfiltration of sensitive data like AWS stored credentials and tokens, credit card numbers and social security numbers.
- Detects and blocks system access from unusual sources and anomalous behavior between systems. In this case, the WAF-IAM role was an unlikely source to access the S3 buckets. This could have been blocked.
- A CWPP also provides defense-in-depth, allowing a check on cloud infrastructure configuration and an additional check on cloud provider security facilities.
Details will continue to emerge about this devastating breach. But the big lessons remain clear — moving to the cloud means both different and increased security burdens. While your cloud provider is responsible for their part, configuration and workload security remain the responsibility of the enterprise. A Cloud Workload Protection Platform should be a foundational technology in the overall enterprise cloud security strategy.