Capital One Breach Does Not Mean the Cloud is Insecure

Financial services organizations and many other enterprises have hesitated to go all in the cloud, citing concerns about depending on a third-party to protect the data, and the Capital One breach seems to encapsulate their fears.

Capital One was unusual compared to the rest of the financial services industry because it embraced its digital transformation journey. Over the past few years, Capital One has more than tripled its technology staff, and encouraged developers to focus on artificial intelligence and data-mining applications. The bank’s willingness to use Amazon Web Services was unusual specifically because many of its counterparts were nervous about storing customer data on third-party networks. As CyberScoop reported, the financial giant opted for the public cloud’s security benefits, and said its data and applications were more secure in AWS than in its own data centers because Amazon could update the security technology faster than the bank’s security team.

“Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds,” said Igor Baikalov, chief scientist at Securonix.

The aftermath of the breach where a former AWS engineer abused a misconfigured server to get access to Capital One’s data—personal information such as names, addresses, and contact information for roughly 100 million individuals—may seem like the other financial institutions had a point with their slow approach regarding public cloud services. Competitors considered private clouds with internal firewalls, and handled their own data security contols. Capital One, by opting for the public cloud to take advantage of capabilities such as scalability, machine learning, and data transformation, wound up losing a lot of sensitive data.

The thing is, Capital One wasn't wrong. The cloud provides a lot of security benefits, such as the fact that software and hardware gets updated with security fixes much faster than if the enterprise had to handle its own testing and deployment schedule. The cloud provider typically has a broader view of threats that may come into the network, so securing one customer means all other customers also benefit.

“[The] cloud is still orders of magnitude safer and more secure than when data was stored on premise,” said Michael Clauser, global head of data and trust at public policy firm Access Partnership. “This wasn’t a failure of the cloud, but of personnel.”

Moving to the cloud typically involves changing security controls and processes. The security controls that worked in the data center is typically not going to be enough in a cloud environment, because the infrastructure and the rules of acccessibility are completely different. Even migrating an application isn't the same as just copying the code over because the security layers have to change. Security needs to be rethought in the context of the cloud, and that is usually the hardest part of any migration.

“This fact alone shouldn't be considered a setback for the adoption of public cloud. It should rather be viewed as another harsh reminder of the importance of third party security and insider threat programs for both providers and consumers of public cloud services,” said Baikalov.

There is some data to back up the claim that going to the cloud helps keeps data and applications safe. Third-party risk management platform RiskRecon and Cyentia Institute recently analyzed how security is handled on different cloud environments, and found that Internet-facing systems in the Amazon, Microsoft, and Oracle clouds had a 12 times lower rate of important security issues, compared to the lowest-performing cloud environments. As many as 14 percent of systems in those lower-performing environments had open critical or high severity issues, the analysts found. They also had lower rates of vulnerabilities compared to on-premise systems.

The analysis didn't say that going third-party providers was always the better option. Exposures "exist in all areas," the analysts said, noting that 35 percent of firms had severe security exposures in assets hosted with external service providers. However, that figure shouldn't be taken to understand that third-party providers couldn't deliver on security, but rather that enterprises bear some responsibility for securing their systems. That may be as simple as making sure their contracts specified what security tasks the provider would take care of and what the enterprise had to handle. "Security in the could isn't on the cloud; it's on you," the analysts wrote.

The study doesn't advocate for either side of the cloud vs. on-prem debate, because the safety record between them isn't all that different (a 60/40 split)," said Wade Baker, the report's author and a partner at Cyentia Institute. "Far more important is for organizations to carefully consider their needs and capabilities in the cloud and select providers and strategies best suited for them.

There is always some concern about the security of corporate data being stored on third-party cloud servers, and those concerns feel justified when those files aren’t protected properly. Just a few weeks ago, Netflix, TD Bank, and Ford were among the list of large companies whose information—more than a terabyte of worth of data including internal business documents, backups of corporate email and OneDrive accounts, system credentials and configuration settings, and employee details—were found on a leaky S3 bucket owned by data management company Attunity.

“The likelihood of high/critical security exposures in AWS is lower than on-prem hosts,” said Cyentia Institute's Baker, citing the firm’s recent research. “Leaks happen everywhere.”


This is a companion discussion topic for the original entry at https://duo.com/decipher/capital-one-breach-does-not-mean-the-cloud-is-insecure