New Security Controls to Prevent Data Breaches Added by MongoDB and AWS

by | Nov 17, 2017

Amazon has revealed that new security measures have been added to its cloud server that will make it much more difficult for users to misconfigure their S3 buckets and mistakenly leave their data accessible.

While Amazon will complete a business associate agreement with HIPAA-covered entities, and has put in place appropriate controls to ensure data can be stored safely, but user mistakes errors can all too easily lead to data exposure and violations. Those breaches show that even HIPAA-compliant cloud services can leak data.

2017  has seen many organizations mistakenly leave their S3 data exposed online, including several healthcare bodies. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that held more than 137 GB of data along with 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration lead to the exposure of 150,000 patients’ PHI.

In response to multiple breaches, Amazon has revealed that new safeguards have been put in place to alert users to exposed data. While there are reasons why organizations would want their Amazon S3 buckets accessible over the Internet without having to use authentication, in the majority cases stored data should be protected.

To minimize the potential for data exposure, Amazon is putting in place a warning system that will warn users when authentication controls are not switched on. A bright orange button will now display throughout the AWS console to warn users when their S3 buckets are accessible without the requirement for authentication. Administrators will be able to manage the privacy settings of each S3 bucket using an access control list, and publicly available buckets will be openly displayed. Daily and weekly reports will also emphasize which buckets are safee, and which are accessible by the public.

Databases Secure by Default in MongoDB Update

Along with the data breaches arising from exposed Amazon S3 buckets, many organizations have reported breaches involving unsecured MongoDB databases in 2017. Globally, more than 27,000 organizations had their databases accessed, data stolen, and their databases wiped. The attackers sent demands for payment to return the stolen information.

While MongoDB incorporates all the required safeguards to prevent unauthorized accessing of databases, those safeguards must be switched on. Many organizations failed to realize that the default configuration was not safe.

MongoDB has reacted to the breaches and has taken the decision to put in place default security controls for the new version of the database platform, which is due to be released in December 2017. MongoDB 3.6 will only have localhost turned on by default. Users that need their databases to be accessible over the internet will have to switch on that feature. Doing so will make the databases accessible by anyone, so to control access, authentication controls will need to be manually enabled. The new secure default configuration will make it more difficult for data to be mistakenly exposed online.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy