Defense-in-Depth: Stemming Leaks of Sensitive Data from Cloud Storage (Part 1)

In the market, we see that cloud storage adoption and usage has gone mainstream: market surveys found over 70% of enterprises already using cloud storage in some way, and the average enterprise already has more than one cloud storage service provider being used. Surveys continue to show concern about valuable intellectual property or confidential information in the cloud, and although confidence in public cloud security offerings has increased over the last few years, we continue to see data leaks of confidential data.

Just in the last two months, we have seen two large incidents with government agencies (or their contractors) leaking sensitive (or according to some reports, classified) data due to usage of cloud storage. This isn’t new or limited to the United States – take for example an incident attributed to a Mexican political party in April 2016.

Companies, governments, and organizations alike are adopting cloud storage to minimize costs, increase agility, and help do their business – all sound goals. However, keeping the data unsecured – or merely relying on the protections from the cloud hosting provider – has led to these massive disclosures.

In the case of the data files discovered on June 12, 2017 related to contractors working for the Republican National Committee, reporting indicates that these were part of a data warehouse maintained on cloud storage. Data warehouses are increasingly common concepts – basically a large collection of data accumulated and structured for analysis to be run over. This incident left 1.1 terabytes of information available for public access (out of the 23 terabytes total), and the warehouse reportedly contained information about 198 million potential US voters (about 3 out of 5 Americans). The exposed data contained not just voter information, but also spreadsheets summarizing analysis modeled ethnicity and religion data. Ionic Security was founded on the basis of restoring privacy to the data of individuals and companies, and this is one example of the type of breach we hope to make irrelevant.

In May 2017, there was a reported disclosure of sensitive or classified (reports differ) intelligence and credentials by a contractor for a US Intelligence Agency through a publicly accessible cloud storage instance. Ionic Security believes in making cloud usage safe for the most sensitive data from organizations, and this is another example of a type of breach which again could be made irrelevant.