Richard Walters, Chief Security Strategist at CensorNet commented below on the latest developments around Accenture being found guilty of leaving sensitive company data on an unlocked (and unprotected) cloud server.
Richard Walters, Chief Security Strategist at CensorNet:
“Accenture are the latest company on the growing list of organisations that have been found to be storing sensitive information in Amazon S3 buckets configured for public access. And this is the worrying point – the buckets have been configured to allow public access. The default public permissions when creating a bucket are “Do not grant public read access to this bucket” – helpfully accompanied with “Recommended” in brackets. Someone has chosen to change the permissions and it’s tough to explain this away as an accident.
Amazon support a range of policies to control access to S3 buckets including restricting access to specific IP addresses and/or requiring multi-factor authentication (MFA).
Given the sensitivity of the information stored it’s surprising that a policy was not in place and no doubt a deep concern to Accenture. This starkly demonstrates the convenience but also the danger of cloud services as they often fall outside the strict processes that are applied to on premises systems.
It should also serve as yet another wake up call (and on this one the alarm has been ringing out load and repeatedly for some time). If two-factor authentication (2FA) or MFA is available, turn it on. Everywhere. Failing to implement it could mean that, in an attack, the entire virtual enterprise could be taken down and could disappear completely within minutes. Anyone who isn’t protected with 2FA on cloud services should have stopped reading this and be calling someone or logging in right now to turn it on.”