Amazon has revealed that new security measures have been added to its cloud server that will make it much more difficult for users to misconfigure their S3 buckets and mistakenly leave their data accessible.
While Amazon will complete a business associate agreement with HIPAA-covered entities, and has put in place appropriate controls to ensure data can be stored safely, but user mistakes errors can all too easily lead to data exposure and violations. Those breaches show that even HIPAA-compliant cloud services can leak data.
2017 has seen many organizations mistakenly leave their S3 data exposed online, including several healthcare bodies. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that held more than 137 GB of data along with 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration lead to the exposure of 150,000 patients’ PHI.
In response to multiple breaches, Amazon has revealed that new safeguards have been put in place to alert users to exposed data. While there are reasons why organizations would want their Amazon S3 buckets accessible over the Internet without having to use authentication, in the majority cases stored data should be protected.
To minimize the potential for data exposure, Amazon is putting in place a warning system that will warn users when authentication controls are not switched on. A bright orange button will now display throughout the AWS console to warn users when their S3 buckets are accessible without the requirement for authentication. Administrators will be able to manage the privacy settings of each S3 bucket using an access control list, and publicly available buckets will be openly displayed. Daily and weekly reports will also emphasize which buckets are safee, and which are accessible by the public.
Databases Secure by Default in MongoDB Update
Along with the data breaches arising from exposed Amazon S3 buckets, many organizations have reported breaches involving unsecured MongoDB databases in 2017. Globally, more than 27,000 organizations had their databases accessed, data stolen, and their databases wiped. The attackers sent demands for payment to return the stolen information.
While MongoDB incorporates all the required safeguards to prevent unauthorized accessing of databases, those safeguards must be switched on. Many organizations failed to realize that the default configuration was not safe.
MongoDB has reacted to the breaches and has taken the decision to put in place default security controls for the new version of the database platform, which is due to be released in December 2017. MongoDB 3.6 will only have localhost turned on by default. Users that need their databases to be accessible over the internet will have to switch on that feature. Doing so will make the databases accessible by anyone, so to control access, authentication controls will need to be manually enabled. The new secure default configuration will make it more difficult for data to be mistakenly exposed online.