Your Amazon EBS Snapshots and RDS Data may be leaking sensitive data to the public… Fix it permanently!
A recently published article outlined the careless behaviors of users that is allowing sensitive company data contained in EBS snapshots and RDS services to be leaked into public domain. AWS has released new functionality to “see” and be notified about these risks via Trusted Advisor. But, as an experienced technologist working with Fortune 100 companies to deploy enterprise applications to cloud infrastructure, I can tell you first hand that the misconfiguration of RDS and EBS Snapshots are only the tip of the iceberg of how careless set-ups, and a lack of an action based configuration control can put your data and infrastructure at grave risk. S3 buckets, misconfigured firewall ports, improper security groups… This list goes on and on.
The potential financial and reputation losses to companies that don’t proactively manage public access to Cloud infrastructure can be catastrophic. But rest assured, these pitfalls are not the result of an insecure or faulty product from AWS or other public cloud provider. In fact each of these services are specifically designed to enable public exposure when desired. The idiocy in all of these events is that they were completely preventable had a cornerstone tagging and monitoring/action system been put in place.
Don’t watch user mistakes in the rear-view mirror through Trusted Advisor alone… Let’s dig in and let me take you through the foundations of how to pro-actively set-up, monitor, and action your cloud to ensure risky behavior is caught and actioned so that your company doesn’t become the subject of a media headlines.
Across clients, I have seen tens of millions of dollars spent annually on ITIL processes and ISO27001 compliance within traditional company data centers. Each IT asset ID’d, every attribute and detail meticulously tracked and logged. But it never ceases to amaze me that once infrastructure becomes ephemeral (created and destroyed as simply and as quickly as code can allow) that all sense of organization is kicked to the curb and the Wild Wild West ensues. Exposure to data loss and/or security breach, unbridled growth in costs, and orphaned resources is not a product problem, but an operational problem and one that we as an IT community need address within our organizations.
Managing Cloud resources at scale doesn’t have to come with the traditional organizational bloat, added costs, and process bureaucracy that plagues most organizations in their implementation of ITIL practices. In fact I would argue that those trying to manage ephemeral Cloud infrastructure through traditional practices and CMDB methodologies are outright wrong in their approach and are setting their organizations up to fail… The dynamics of Cloud assets simply change too quickly.
Successful Cloud asset management begins with a strategic asset tagging strategy that is systematically applied and monitored ubiquitously across your Enterprise Cloud(s). Resources are available by the individual Cloud providers on how to tag and the number of tags allowed by asset. You can find AWS tagging recommendations here, but to prevent the atrocities of misconfiguration, and bloated costs, an organizational tagging strategy and related use policy must be established. This document must outline which tags are required by asset, and specific tag formats. Various articles have been written, but one of the most comprehensive and straightforward white paper on how to establishing a cloud tagging strategy was written by the team at DivvyCloud.
Once a tagging policy is created it must be deployed and enforced. How your organization orchestrates infrastructure as code will determine how the tags are deployed. Monitored holistically, these tags can be interrogated and systematically used to enforce broader operational policies, with “if-then-this” outcomes.
Let’s assume that we have a policy that states only resources tagged as ENV = PROD + DATACLASS = PUBLIC should be allowed to be associated to a publicly open security group, or configured for public access. We can now continuously monitor for this grouping of tags and take appropriate action when non-compliant assets are discovered, with actions that proactively and immediately quarantine the asset and notify the appropriate team members that the incident has occurred and how to resolve prior to Intellectual Property data loss.
A well implemented tagging strategy, in combination with continuous monitoring, and an action driven compliance engine will cover your entire Cloud Enterprise with real time proactive protection. In addition to security and peace of mind, it will reduce costs, and drive broader operational efficiencies. Bottom line, these are table stakes to the Cloud Enterprise at scale, and the cornerstone of effective Cloud Operations.
Thomas Martin is a former CIO, and technology leader of the General Electric Company. Prior to leaving GE, Thomas was the Executive Vice President of Application Transformation tasked with moving 9000 legacy workloads to public and private cloud infrastructure. He has been a leading evaluator, adopter, and advocate of innovative tools and emerging technology that drive effective operation of cloud infrastructure at scale.