Reading Time: 5 minutes

A Leak, Daan Mooij

A large ‘leak’ of Attunity customers’ data (Upguard) became public last week. Attunity is a ‘Data Integration and Big Data Management’ service that is (or was) ‘Trusted by Half the Fortune 100 and 2000+ Customers’.

Nearly a Terabyte of Annuity customers’ business documents and email has been available publicly in an S3 bucket for some time. Upguard’s post highlights a treasure trove of system and database credentials from companies you’ll recognize.

Obviously, Attunity should ‘know better’ since their customers are hiring them for their expertise and one of the affected products (Replicate) product claims:

Used by hundreds of enterprises worldwide, Attunity Replicate moves your data easily, securely and efficiently with minimal operational impact. (emphasis added)

Traditionally, customers of third-party, managed services are in an awkward position when it comes to securing their data (e.g. open scp, ftp, webdav file servers).

The Cloud changes this a bit by providing you some controls you can use to secure your data, stay out of the news and, gauge the security posture of your partner (managed service).

What’s a customer to do?

Let’s examine three controls customers can adopt to help keep control of their data stored in S3 (or another Cloud object store) while still making it accessible or manageable by third parties.

Store the data in your own Cloud accounts

First, considering storing the data in your own Cloud accounts so that you retain control over the resources. For example, you could create the S3 bucket and grant access to the third party using S3 bucket policy. The bucket policy should also require all of the data in the bucket be encrypted with a KMS encryption key. This encryption key should be created in an AWS account you own and dedicated to the business function for the service, e.g. ‘corporate-backups’. You will need to specifically grant the third party access to perform kms:Decrypt operations to read data using that key using KMS key access policy.

With this approach, you manage two robust access controls for access to your data for each of the bucket and encryption key.

Only the AWS principals that have been granted access to both the bucket and the key will be able to access the data.

Since you maintain a high degree of access control, another benefit is that it is simple to revoke access at any time by changing the Bucket or KMS access policy.

If you feel that’s giving up too many of the ‘managed’ benefits of the service you can use a hybrid of this.

Keep the keys, let third party manage the data

You may have a scenario where you don’t want to manage buckets or other datastores yourself. In this case, you can still provision a KMS key and manage access to it.

Because you own the encryption key and KMS key access policy, you still have own a robust access control for your data.

If and when you decide to stop using the 3rd-party service (e.g. the migration is complete), you can remove the third party’s access via the policy.

You could even delete the key, rendering the encrypted data unrecoverable by anyone.

Monitor and Audit

Another option is to let the third party manage all of the storage and access control of your data, but use monitoring and periodic audits to detect access control problems. You will need to know the names of the bucket(s) where your data is stored.

Possibly the simplest thing you might be able to do today is to monitor a canary file for readability as either an unauthenticated or (any) authenticated AWS user. This could help you detect situations like the Annuity incident and many others where the entire bucket was readable without authorization. But the scope of that monitoring is very limited.

A much more robust detection program is to deploy the managed AWS Config rules for S3 data security and subscribe to notifications:

  • s3-bucket-policy-grantee-check
  • s3-bucket-policy-not-more-permissive
  • s3-bucket-public-read-prohibited
  • s3-bucket-public-write-prohibited
  • s3-bucket-server-side-encryption-enabled
  • s3-bucket-ssl-requests-only

These Config rules leverage AWS’ automated reasoning capabilities to prove that no one has unauthorized access and run on every change to access control policy.

Lastly, you can rely on an auditing service you trust to audit access to the bucket. This audit should be automated and occur at least weekly, preferably on every change. The audit should check for all of the conditions covered by the managed AWS Config rules and send notifications.

Unsolved: They can still copy your data

Of course, since the managed service has access to your data, they can still copy it somewhere else that is unprotected, log it, etc. The third-party should also help you understand how their application’s security works and what assurances it provides.

The techniques described previously should be considered something like a minimum bar for integrating with the third party.

Managed Services Should Often Be Partners

I think technology security of information technology may be at a similar stage of (im)maturity as quality of automobiles in the late 70s and early 80s.

The outlined approach is a step in the direction of what Toyota did with its suppliers when they were raising their Quality bar. Toyota realized that:

  1. suppliers are a critical part of delivering a quality vehicle; engine control systems, tires, seat belts, whatever, all need to be of very high quality in order to meet Toyota customer expectations for a Camry
  2. they could not and did not want to manufacture everything that goes into their vehicles

Toyota worked with their suppliers to analyze and improve suppliers’ manufacturing processes in order to eliminate defects and minimize the total cost from those delivery processes (Deming: Move toward a single supplier for any one item). Those suppliers were viewed more as partners with shared interests in delivering high quality components than mere commodity suppliers or cost centers.

Whether you adopt one of these options or something else, it’s imperative you work with suppliers of managed services to ensure your data is safe. You may be outsourcing the delivery of a service, but you’re still ultimately responsible for taking care of your customers’ and business data (also, Compliance with regulation and audit frameworks). I hope this post has given you some ideas for how to do that.

Hit me up if you have any questions or you’d like to talk through some specifics.