Checklist 224: Cloudburst Over Hobby Lobby
Reports says a misconfigured AWS cloud server left the info of hundreds of thousands of Hobby Lobby customers exposed. We’ll look at that as well as a few takes on how best to secure the cloud. Plus — revisiting a checklist on cloud misconceptions with “Security in Color” host Dominique West.
Arts, crafts, and data breaches
Cloud computing is everywhere these days. There’s a reason for that: the cloud provides fast, convenient, and scalable infrastructure for businesses and organizations. But as one large arts-and-crafts retailer discovered last week, cloud security isn’t always as easy.
According to an independent security researcher known as “Boogeyman”, Hobby Lobby exposed one of their Amazon Web Services (AWS) cloud databases — and with it, a raft of customer data.
Boogeyman says that they were able to access customer names and contact details, physical address locations, and partial payment-card information. The researcher also said that the chain’s employees were affected: their names and email addresses were exposed as well. All told, around 138 GB of data was leaked. The data breach may have impacted as many as 300,000 customers.
So how did this happen? It appears that a cloud bucket misconfiguration was to blame. In other words, Hobby Lobby failed to set up their AWS database correctly. Security experts warn that this sort of mistake is all too common — and that hackers are well aware of it, and are actively looking for vulnerable cloud data.
The scope of the problem is truly worrying, and goes far beyond the occasional data breach that might affect the customers of this business or that. According to Howard Boville, Senior VP of IBM Hybrid Cloud, many businesses have now created a sort of “Frankencloud”: an unwieldy behind-the-scenes cloud infrastructure that attempts to cobble together many different (and disconnected) pieces and parts. Boville warns that this approach, while understandable, also carries risk:
Security teams cite this complexity as one of their largest challenges. Forced to rely on dozens of vendors and disconnected security products, the average security team is using 25 to 49 tools from up to 10 different vendors. This disconnect is creating blind spots we can no longer afford to avoid. Security systems shouldn’t be piecemealed together …
Boville argues that companies should look for cloud providers who are willing and able to help them with cloud security. He also notes that a diversity of technologies doesn’t have to be a liability, provided that companies and vendors adopt a “security-first” mindset that guides the way they use the cloud.
And what about the Hobby Lobby customers whose data was exposed? Unfortunately, while we did look on Hobby Lobby’s website, we weren’t able to find a public statement from the company about the incident. It’s still unclear if they plan to notify affected users. The good news is that the exposed data appears to have been locked down, but still, if bad actors were able to access any of that before news of the breach went public, Hobby Lobby customers could be at risk for things like identity theft or phishing attacks.
Getting the cloud right
Back on Checklist 197, we spoke with cloud security expert Dominique West. In light of this week’s topic, we wanted to revisit some of that conversation in order to provide a bit more insight.
West says that there are still a lot of misconceptions about the cloud. These misconceptions can make things like the Hobby Lobby breach seem scarier than they really are. She gave us her own “checklist” of things that people get wrong about the cloud (as well as some ways to get it right!):
The cloud isn’t safe
Untrue, says West. Configured properly, cloud data storage is actually much safer than traditional data centers. Here’s why: Cloud providers have a business model based on safe data storage. For this reason, they invest heavily in security technologies, and generally offer excellent security features. The issue is (as Hobby Lobby discovered), you have to use those features properly. A company that rushes its migration to the cloud, or that doesn’t seek out technical help when necessary, is asking for trouble.
My cloud provider will save me
Cloud technology is secure … but using it correctly is still the responsibility of the company that has purchased the cloud services. Google or AWS aren’t going to “lose” your customers’ data. But they also can’t stop you from misconfiguring a storage bucket and inadvertently exposing that same data. Companies that migrate to the cloud need to realize that they bear the ultimate responsibility for doing it correctly. As IBM’s Howard Boville suggests, smart companies will look for a cloud provider that offers them the level of support they need.
You need a new team to move to the cloud
West sees lots of different companies migrating to the cloud in her role as a cloud security consultant. She says she’s noticed that organizations shy away from empowering their own personnel to use the new cloud technology. Consultants can help move a company to the cloud safely and quickly — but if the company’s existing teams have no idea how to use that tech once the consultants leave, what then? For this reason, West recommends that companies involve, train, and leverage their own people from the outset if they want sustainable, long-term cloud security.
Security and innovation don’t mix
At times, DevOps teams within companies see security teams as antagonists. The development people want to “move fast and break things”, while the security people keep putting up roadblocks. But West says that when it comes to cloud security, innovation and security go hand in hand. She points out that security teams are frequently at the forefront of innovation, especially in terms of leveraging things like AI and machine learning. Yet she cautions that real cloud security can only be accomplished by involving security teams in the creative process from the very beginning. If security is treated as an afterthought, then vulnerabilities (or time-consuming delays) will result.
On-premise strategies work in the cloud
West finds that far too many companies think they can migrate their on-premise security strategies to the cloud just like everything else — which is a big mistake. The cloud is different from on-premise data storage in some pretty fundamental ways. This means that companies need to rethink things like identity and access management, device management, and data loss prevention … because the old ways of handling those things may not work in the cloud. West emphasizes the fundamental importance of training a company’s existing teams to operate in their new, cloud-based reality. Educating employees about how the cloud differs from what they are currently doing will empower them to architect a company’s cloud implementation securely and effectively.
Do you have an idea for a future show, or maybe just a security question you’d like to see answered? Write to us and let us know! If you want to learn more about security and privacy topics, be sure to take a look through The Checklist archives. We have full audio and show notes for every single episode of the podcast, going all the way back to the very first one!