When Cloud Solutions Evaporate Security: Lazy configuration and lack of oversight

Dr Irving Hofman

A couple of weeks ago we learned about a serious data breach containing the personal details of 50,000 Australian employees. Affected organisations included AMP, Rabobank, UGL, Department of Finance, Australian Electoral Commission and the National Disability Insurance Agency.

It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it ― Stephane Nappo, IBFS Global Chief Information Security Officer, Société Générale

In this particular case, a third-party contractor who works for these organisations misconfigured an Amazon S3 bucket which stored the databases. Not only do organisations need to ensure that their own in-house IT systems are secure, they also need to ensure that any third-party systems which have access to their data are secure. This has huge implications for the up-coming mandatory data breach disclosure laws.

There is no denial that cloud systems are here to stay and anyone who doesn’t get on the bandwagon will be left behind. However, cloud is a relatively new technology and new technology requires a fundamentally different approach when it comes to security. Many of the legacy principles don't translate well to the cloud, especially when it comes to security. A holistic approach combined with the right security tools available for each cloud platform is the key.

In the data breach example above, the third party contractor should have considered using a specialist tool that integrates with Amazon VPC and monitors for security flaws/holes in the implementation. Tools such as “evident.io” would have easily prevented this serious data breach.

Amazon offers tools for creating a secure cloud infrastructure. A dedicated Key Management Server (KMS) can be used to create and control encryption keys to secure your data. The master key is held by the end-user, not a third-party administrator. The AWS Config service can be used to monitor changes to AWS servcies and automatically rollback any changes that increase security risks or breaks compliance.
​Treating cloud security as an "out of sight, out of mind" matter is a recipe for disaster - Vlad Tsyrlin, Director, Exigence

Adopting cloud technology means staying competitive and agile. Biotech, Pharma and Life Sciences organisations are used to being innovative and on the forefront of technology. Using the best that cloud has to offer need not be risky if the right approach is employed. Sensitive patient/trial data as well as high-value intellectual property can be successfully stored on a cloud platform in a secure and protected environment, thus improving mobility and facilitating collaboration. Securing this information is the key to further progress and the continuing adoption of the technology by these organisations.

Contact Exigence to find out more about Cloud Security