The reason why Hackers have it easy with Cloud Security will surprise you.
You would imagine that the protection of customer passwords and different credentials is the job description for IT experts, yet as we all know from reports of data breaches, how hackers on numerous occasions have outsmarted the cyber guardians.
To comprehend why to consider it along these lines: A car jacker enters a parking lot and strolls directly into the stall where ALL the keys are under tight vigil, and the guard is mysteriously missing.
The mass development of an organization and personal data to the cloud has just entangled things. Hackers are sending bots to scour GitHub, the source code administration framework, searching for advanced access keys to Amazon Web Services and other cloud frameworks. In 2015, one indiscreet developer woke to discover his stolen keys being utilized to run 140 AWS servers mining bitcoin.
Organizations have transferred VPN and cloud access credentials to cloud storage that is effectively available. Indeed, even U.S. Intelligence facts, including security keys to access “distributed intelligence systems,” were obviously left available to people in general, Bay Area security firm UpGuard revealed the previous vulnerability.
Also, notwithstanding, when credentials aren’t left where anybody can discover it, security breaks are routinely aggravated when hackers enter one network are then finding the keys to another lying around unprotected or unencrypted.
In spite of the dangers, developers are still consistently putting away the digital assets and resources and even client data in the source code, setup documents, and different random, unencrypted areas. Not like run of the mill user who can remember their passwords or store them with a protected secret word, engineers and IT professionals regularly need to keep security credentials where automated programs can find them.
What’s more, even ordinary clients can at sensitive data lying around in inadvertently open document or in an unsecured location on an organization’s network where a hacker may take care of wrangles access.
SECURING THE CLOUD
Cloud managers are playing catch up to close the door on the critical data left out in the open. Sophisticated new cybersecurity tools designed to securely store these kinds of credentials in a way that legitimate, automated processes can access, and intruders can’t—and to scan files uploaded to cloud storage to make sure passwords and keys aren’t exposed—are turning the tide, experts say.
Cloud managers are trying hard to close the entryway that leads to the basic data that is left in the open. Refined new cybersecurity tools intended to safely store these sorts of credentials in a genuine way, that automated procedures can access, but hackers can’t.
Armon Dadgar, founder, and co-CTO of San Francisco-based software company HashiCorp said “Everyone knew this was a bad thing to do. It wasn’t like anyone had an illusion that keeping these credentials in plain text was smart or sane, but no one had a better answer.”
Amazon launched AWS Secrets Manager last month, its own credential management tool. This was followed up with Microsoft that offers Azure Key Vault to securely store and monitor and control access to this kind of data.
But even as these tools become available, it’s still a challenge for companies where developers might be working with a wide array of remote tools requiring credentials.
As mentioned in Fast Company “The main problem is that companies really don’t have policies for it or they don’t follow up and make sure those policies are followed,” says Christoffer Fjellström, a developer at Swedish security firm Detectify.
Until recent hacks made it clear that few organizations can hope to keep their networks entirely free from intrusion, many companies paid less attention to the security of data within their firewalls, says Dadgar.
“In that world, things like secret management were just less important,” he says. “Does it matter that you have my database credential if you’re not on my network?”
Other new tools help detect if secure data is being sent and stored where it doesn’t belong. UpGuard, known for its frequent role in detecting leaks tied to data stored on insecure cloud machines, has released BreachSight, which scours the internet for its clients’ exposed code, credentials, personally identifiable information, and other sensitive data.
“You might have this world-class team, but the project manager has an online Kanban board sitting out in the open that he’s using for notes, and it’s full of API keys, but nobody thought to look for it because the company believes everything’s internal,” co-founder and co-CEO Mike Baukes says. “It’s examples like that, which are things happening in the real world, that nobody’s had an answer for until now.”
Amazon has also offered a service called Amazon Macie, which uses machine learning to detect unusual access patterns to cloud storage and uploads of potentially sensitive data like access keys. Amazon also released open source software to help prevent accidentally storing passwords and keys to source code repositories and other developers have offered similar tools to scrub credentials from existing code.
As quoted in Fast Company the article reads how it’s possible that those types of tools will automatically be provided as part of cloud computing contracts, as standard as seatbelts in new cars.
Julia Sowells250 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.