Trove of Exposed Files Demonstrates Importance of Data Governance

An unsecured Amazon S3 bucket with 5.5 million business files was recently discovered by security researchers at vpnMentor. All of these files were publicly available without any password protection or other security protocols attached to them. This kind of thing happens regularly with cloud service providers, and it often occurs when IT teams neglect to set security and compliance rules within their cloud environments. Fixes usually take the form of creating compliance checks and security rules, automating them, and then watching for anomalous behavior in the future.

Know what you have so it can be protected

‍The underlying issue, however, isn’t just that someone forgot to press a button. It’s more about the lack of visibility into the assets being managed. The fundamental principle of any type of security is that you have to know what you have in order to protect it. And in the case of InMotionNow, the project management software company in Raleigh, North Carolina who was responsible for the exposed data, they clearly had no idea of the massive amount they were sitting on.

Basically, InMotionNow had stored millions of files for a list of presumed clients, including an insurance company, non-profits, universities, hotels, casinos, and life sciences companies. Apparently, the S3 bucket was not protected in any way, which indicates that InMotionNow either operates with surprisingly loose security protocols, or they were unaware of the existence of these files. But just like Principal Pelkey used to tell us, “Ignorance is not an excuse to be lazy,” not knowing you have those files and being aware of how they’re managed is about the same as leaving a sign in front of your house that says, “It’s unlocked, and we’re gone for two weeks.”

The exposed data included personal information on university and non-profit donors, company strategy documents, and business intelligence research. It may not be the kind of stuff that could bring down a government, but it’s still a huge breach of personal information and trust in the business. It speaks to something that many companies forget in the course of “doing security.”

Security is more than a checklist

‍Data security isn’t simply done with a checklist. Even when automated with rules, security needs to be considered in the broader sense of governance. Compliance is so heavily intertwined with data lifecycle management, and issues like content sprawl which don’t appear to be tied to security actually are very much a part of what a security posture needs to consider. So it’s not just layering governance or security, it’s bringing a secure approach to data that helps create the right tools and methodologies to have the insight and visibility into your content, but also the context to make sense of that content.

As companies invest in stronger firewalls and better IT infrastructure, brute force attacks have become harder to pull off. For companies with little-to-no on-prem infrastructure, attackers have found other ways, and they hit the jackpot when they identify a content repository that a company is unaware of. With access to that source, the attacker is “in,” and once inside, she can gain access to a lot more stuff she shouldn’t see. That data can be exfiltrated, or held for ransom. The attacker does not discriminate about where she got the content. With access to it, she’s got what she came looking for.

All content is vulnerable without proper data governance

‍As a result, it has become imperative that companies protect the data itself, not just the infrastructure that transports it. By applying strong access control, limiting visibility of sensitive data to only those who need it, and incorporating ransomware detection and unusual behavior detection, companies can be better prepared to take on modern cyber threats.

Strong governance is built on the principles of visibility and control, and that begins with content-classification policies that are both functional and easy to maintain. The first step in content governance is the discovery of sensitive data across the organization. Many organizations struggle to achieve this visibility because data is stored across multiple legacy systems that are cumbersome to manage, siloed, or have no automated data discovery capability.

A solution like Egnyte uses dynamic classification to automatically scan files across linked repositories for sensitive content like credit card numbers, addresses, dates of birth, social security numbers, and health-related information (such as patient ID numbers). It applies compliance-friendly pre-configurations, as well as custom classification capabilities.

Out-of-the-box configuration options involve selecting the geographic locations where you operate and then selecting the specific regulations that apply to your business. Egnyte then applies the relevant configurations to your classification policies, scanning for data known to be regulated under those laws.

Egnyte also allows for custom policies to be applied based on keywords, patterns, file properties, document templates, file types, and metadata. These can be configured based on specific needs in your organization, classifying data that is sensitive in the context of your business, including data related to a high- profile client, project, IP, or legal action.

Users have better visibility because the discovery of sensitive data is automated across the largest repositories (including inside Egnyte), as well as popular data sources such as OneDrive, Windows File Server, SharePoint, Amazon S3, Google Cloud, GSuite, Box, Microsoft Azure Blob, and generic CIFS/SMB repositories.

Good governance becomes easier to maintain over time with good data hygiene practices, but it has to start with a governance-based approach to content. To learn more, check out the Egnyte Security Framework which explains how the Egnyte Platform weaves data security into every layer of enterprise file sharing with behavioral anomaly detection to deter insider threats and compromised accounts, as well as signature-based and zero-day ransomware detection.

‍Photo by Jan Antonin Kolar on Unsplash