Sunshine, sandwiches, scenic views, and not a care in the world besides the occasional wasp. Everyone loves a picnic.
Unfortunately, the same cannot be said for PICNIC, an enduring acronym in IT circles standing for Problem In Chair, Not In Computer. The term, dating back to the 1980s, was first employed by frustrated IT professionals weary of dealing with computer problems arising from user error rather than any actual issues with the technology.
Such challenges still exist today although, increasingly, they are migrating to the cloud. Data breaches resulting from cloud misconfigurations can have dramatic consequences. For example, the Capital One breach earlier this year affected more than 100 million records.
In most cases, these breaches are not the result of a particularly skilled threat actor or any advanced exploits or malware. Instead the door is left wide open through human error. Unfortunately, such cloud security issues are the result of poor data protection practices. For instance, sensitive information may be stored in unencrypted form or access permissions not locked down properly.
The Capital One data breach, first reported in July, is a particularly powerful example of how poor practices can trigger a major security crisis. The incident saw customer data including more than 140,000 social security numbers, one million Canadian social insurance numbers, 80,000 bank account numbers, and an unknown quantity of customer names and addresses accessed by Paige Thompson, a former software engineer at Amazon Web Services. It has been estimated that the breach could cost the company upwards of $150m.
The breach was made possible by a misconfiguration of the web application developed by Capital One, and not the underlying Amazon cloud-based infrastructure. Amazon also stated that the perpetrator’s specialist insider knowledge was not a factor, but rather the breach could have been carried out by anyone who stumbled on the misconfiguration.
Similar breaches have occurred at Fedex and Californian car dealership services provider Dealer Leads. Indeed, cloud-based data breaches caused by user errors are becoming so frequent that the PICNIC acronym might arguably be updated to stand for Problem In Company, Not In Cloud.
How can firms reduce the threat?
Because cloud-related mistakes can potentially expose businesses to huge and costly data breaches, organisations must do much more to mitigate the risks. It’s very difficult to remove the risk of human error entirely. Organisations need to ensure they implement robust policies to protect sensitive data in the cloud, as well as the right tool to manage them.
An audit is a good place to start. It is impossible to keep sensitive data safe if a company isn’t aware of what information it owns or where it is kept. Many organisations have spent years hoarding as much data as possible, and it’s all too easy for them to lose track as they expand and change their infrastructure.
Audits can help the enterprise get its house in order. Their disciplined approach lets organisations locate and classify any and all sensitive information spread across on-premises and cloud servers. Audits are especially good for identifying data that is governed by regulations such as the GDPR and PCI-DSS.
The challenge with built-in classification capabilities present in many cloud-based solutions is that rule creation and tagging is often a labour-intensive, manual process. For this reason enterprises should look to automate this process as much as possible. – Read more