Security is one of the main obstacles to greater cloud adoption. When it gets right down to it: companies that own sensitive data are reluctant to release control of it to a third party without ample reassurance that it won’t be lost or stolen.
Given that’s the case, the results from an analysis of Amazon’s cloud-based Simple Storage Service (S3) by the security firm Rapid7 won’t ease privacy and security fears surrounding cloud-based storage and applications.
In that study, Rapid7 researchers surveyed 12,328 Amazon S3 “buckets” – virtual containers for stored data. The results: 1,951 of those buckets were publicly accessible – around 1 of every 6. Within those 2,000-odd public buckets were 126 billion (with a “B”) files. That’s right – 126 billion.
The sheer amount of data was too large for Rapid7 to audit each file individually, so the company sampled 40,000 publicly visible files and found that many were publicly accessible (that is: they could be opened and viewed within the bucket). Of those, Rapid7 found Personal photos from a “medium-sized social media service, ” as well as sales records and account information for a large car dealership, employee personal information, unprotected database backups, source code and advertiser affiliate tracking data.
“Much of the data could be used to stage a network attack, compromise users accounts, or to sell on the black market,” Rapid7 said – noting that the wealth of log files stored in unprotected S3 buckets could also be a goldmine for hackers.
Pictures made up around 60% of all the stored file. But Rapid7 also found more than five million text documents including many that contained credentials. “Much of the documentation we spot checked was marked up ‘Confidential’ or ‘Private.'”
This isn’t the first time someone has taken the opportunity to audit Amazon’s massive S3 infrastructure. The security researcher Robin Wood (@digininja) performed a similar study in May, 2011 on 979 S3 buckets and found 131 were publicly accessible – around 13%, compared to 15% in Rapid7’s audit. As with the Rapid7 study, Wood’s audit of files in the buckets (around 10,000 compared to Rapid7’s 45,000) also revealed a preponderance of image files, but also some documents containing sensitive information such as Social Security Numbers.
What’s the lesson here? Well, obviously: don’t store or backup sensitive data to an unprotected S3 bucket. If you have reason to believe that you or your organization is leveraging S3 as a resource to offload data, make sure your S3 buckets are private. Or, if they need to be public, that the file permissions prevent Internet users from accessing their content. Rapid7 makes the (good) point that even being able to index the contents of an S3 bucket can provide a wealth of information about your organization – from project names to platforms used to schedules of backups.
While its easy to believe that nobody notices what you’re storing in the cloud, Rapid7 shows how easy it is for a motivated hacker to zero in on your organization’s S3 buckets, guessing bucket URLs by dorking around with Fortune1000 company names and words like “-backup,” “-media” and so on.
The bigger problem with convenient services like S3 may be figuring out if you have exposure through them at all. The services make it easy for individual employees to move huge amounts of data into the cloud without incurring significant cost. And, even if you know your organization isn’t exposed, you may find yourself exposed through third party business partners. Take note!