Amazon Web Services has announced that new safeguards have been incorporated into its cloud server that reduce the probability that users to misconfigure their S3 buckets. If their S3 buckets are not configured in the correct manner, users risk accidentally leaving the data they store on the server unsecured.
Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely. However, while their software incorporates all the appropriate security measures, user errors can easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data.
This year has seen many organizations accidentally leave their S3 data exposed online. This includes several healthcare organizations, which compromises the integrity of PHI. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI. In both cases, had they configured their S3 correctly or used appropriate services which used secure software, the PHI would have remained safe and HIPAA legislation would now have been violated.
In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed data. While there are reasons why organizations would want their Amazon S3 buckets accessible over the Internet without the need for authentication, in most cases stored data should be protected.
Amazon further stated that it is implementing a warning system that will alert users when authentication controls are not active. A bright orange button will now appear throughout the AWS console to alert users when their S3 buckets are accessible without the need for authentication. Administrators will be able to control the privacy settings of each S3 bucket using an access control list, and publicly available buckets will be clearly displayed. Daily and weekly reports will also highlight which buckets are secure, and which are accessible by the public.
In addition to the data breaches resulting from exposed Amazon S3 buckets, many organizations have reported breaches involving unsecured MongoDB databases this year. Unauthorised database access has been a threat to many organisations in recent years; more than 27,000 organizations across the globe have had their databases accessed, data stolen, and their databases deleted. The hackers responsible for the breaches have issued demands for payment to return the stolen data.
While MongoDB incorporates all the necessary safeguards to prevent unauthorized accessing of databases, those safeguards must be activated manually. Many organizations failed to realize that the default configuration was not secure.
MongoDB has responded to the breaches and has taken the decision to implement default security controls for the new version of the database platform, which is scheduled to be released next month. MongoDB 3.6 will only have localhost enabled by default. Users that require their databases to be accessible over the internet are responsible for activating that feature themselves. Doing so will make the databases accessible by anyone, so to restrict access, authentication controls will need to be manually switched on. The new secure default configuration will make it harder for data to be accidentally exposed online.