Another Amazon S3 bucket misconfiguration breach, this time with AgentRun, has resulted in an insurance start-up exposing data for clients, including Cigna, Transamerica, SafeCo Insurance, Schneider Insurance, Manhattan Life, and Everest. Sensitive personal and medical information of thousands of insurance policyholders was exposed, leaving the data without password protection and publicly accessible to anyone while AgentRun was migrating to the bucket during an application upgrade, according to Cyware.
Mike McKee, CEO, ObserveIT, said that companies are moving faster than ever, so it is no surprise that many security breaches occur due to human error. "This is another example of how damaging an insider with good intentions but poor execution or adherence to policy can be to an organization," McKee said.
Many organizations don't understand how to evaluate the security practices of all their downline parties. Fred Kneip, CEO, CyberGRX, said it is critical to know not only who has your data but also where it is and how well they are securing it. "Are they encrypting the data in an S3 bucket? These are critical factors that organizations need to understand about all third parties in their digital ecosystem in order to know which pose the most risk to their data. We’re going to continue to see these types of attacks until the industry takes this issue more seriously and adopts a more collaborative approach to reducing third-party risk.”
Some argue that cloud providers probably need to do more, and Mukul Kumar, CISO and VP of cyber practice at Cavirin, said that they are moving in this direction to protect the cloud assets of organizations that have little or no expertise. Still, Kumar said, "when spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge."
Sanjay Kalra, co-founder and chief product officer at Lacework, said, "AWS provides an amazing services that helps any innovative business accelerate the deployment of new applications. That said, properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources. It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."
With AWS incidents happening on an almost weekly basis, McKee said that companies can better mitigate risks of human error by identifying high-risk users and third-party vendors with data and system access, ensuring that strict change control sets are in place, continuously monitoring user activity, implementing technology to help detect and respond to risky, out-of-policy actions quickly and implementing ongoing employee education programs.