Get My Score

The Deep Root Breach - How Cavirin Could Have Helped

A few days back, a security researcher came upon what is potentially one of the largest exposures to-date of Personally Identifiable Information (PII), but one that was so easy to prevent using the tools available.  Deep Root, a data analytics firm, had posted almost 200 million voter records to their AWS S3 database. This is the distributed offering leveraged by the majority of businesses and SaaS offerings that use AWS.  Note that this is also the same S3 that experienced a wide-ranging failure earlier in the year.  In this case, Deep Root set permissions on their database that would expose it unencrypted and with no password required to the outside world.  Just think what would have happened under GDPR if this occurred in 2018 within the European Union.

Though just over 1 TB was exposed, out of a total of 25 TB, this was enough to make visible the name, date of birth, home address, phone number, and registration details of almost every registered voter in the US.    We only wonder what the other 24 TB contained.  A case can be made that all of this data was publically available, state-by-state in advance.  True, but when aggregated and analyzed it becomes more valuable, more sensitive.  And this type of data aggregation will only increase in the future.  So how do we maintain cloud security and protect against what was clearly the ‘human element’ in this case, non-malicious but nevertheless devastating? 

The major cloud service providers, AWS included, have published in conjunction with the CIS a set of best-practices, benchmarks that should be adhered to by every organization using their IaaS, PaaS, or SaaS platforms.  These documents align to what we term the ‘shared responsibility model’, where the provider and the customer each have their own responsibilities. In this case, the breach was totally in the domain of the customer.  

Specific areas of guidance within the benchmarks include, and there are others, encryption and separation of duties.  The AWS CIS security benchmark have a check that the S3 buckets have encryption enabled by policy.  A continuous security tool like Cavirin would have caught that both at-rest and in-transit encryption policies were missing.  Here, even if the data was released to the Internet, it would be unreadable.

On the separation of duties front, AWS provides a means of achieving this by creating roles and groups to put users into, and assigning different levels of permissions on an ‘as needed’ basis.  These feed into Identity & Access Management security policy tests, also coded within the benchmarks.  This reduces the complexity of access management, and also minimizes the accidental chances of users receiving and retaining excessive privileges.  In the case of Deep Root, the policies would have at least flagged a potential violation by creating checks and balances.

Though we can’t stop all breaches from occurring, the automation enabled by the Cavirin platform can reduce their frequency, their impact, and act as a backstop to organizations operating at ‘cloud speed’ but lacking the resources to ensure that they are always protecting the integrity of the data they handle.


© 2018 Cavirin Systems, Inc. All rights reserved.