Open Storage Buckets Become No. 1 Breach Threat – Virtualization Review


Data Security Expert: Open Storage Buckets Become the Biggest Threat to Breach

Expressing wonder that SQL injection is still One of the biggest threats to data security, expert Karen Lopez predicted the long-standing problem will be overtaken by users planting data on open storage buckets like AWS S3 and Azure Data Blob.

“SQL injection – I think that’s what that will quickly approach and replace if [a top] The problem with data protection will be that people are storing my data in an open bucket, say an S3 bucket or an Azure Data Blob somewhere and it’s not protected,” she said.

“They usually put it there for development or test riders. They want to share it with a third-party contractor. They want access to it when they’re working on it at home, whatever they’re thinking at the time. They’re putting some production data in an open bucket and leave it there — forgot to turn it off — and think it’s good because it was only open for a few minutes there. Nobody knew it was there. That’s going to be the No. 1 way data breaches are discovered.”

Lopez, which goes by the nickname @DataChick on Twitter, shared her expertise with an audience of hundreds at a recent online tech summit hosted by Virtualization & Cloud Review. She spoke in her segment — “Modern Cloud Data Protection Best Practices” — which was part of the “Cloud Data Protection for 2022 Summit,” now available for on-demand viewing.

The senior project manager at InfoAdvisors is amazed that SQL injection still exists.

“So right now, SQL injection is still listed as one of the best… methods for data breaches,” she said. “SQL injection, a problem that we’ve known for decades in the data protection field, that we have automated tools to check for, that there are services you can use to check for SQL injection in your application code. And yet we will continue to provide code in production that has these vulnerabilities.”

Indeed, the Open Web Application Security Project (OWASP) still lists SQL injection in the OWASP Top 10: 2021, clocking in at number 3 after number 1 in 2017 and accounting for two-thirds of all web app attacks from 2017 to 2019.

As the OWASP image below shows, the “Exposure of Sensitive Data” has increased in that time, reaching number 2 behind “Broken Access Control”. While open storage buckets are different from compromised web apps, the OWASP data confirms Lopez’s prediction about the growing problem of data protection.

OWASP Top 10: 2021
[Click on image for larger view.] OWASP Top 10: 2021 (source: OWASP).

“We have ways of sharing data — production data — that can be used to diagnose a problem, and people use it incorrectly and in some cases illegally for developer test data,” Lopez continued. “We have ways to protect ourselves against that. If you find that your development process is putting production data somewhere in a storage blob for someone to access, then that has to stop now. We think once that becomes enough of a problem that cloud providers implement ways to profile your data to see if there’s credit card information, or medical images, or anything that’s unprotected.

“If you currently work at an organization where developers and DBAs are told that the security team’s role is to conduct security testing, then it’s time to stand up and say ‘no, it should be part of our development environment’.” ”

Karen Lopez, senior project manager and architect, InfoAdvisors

“I can imagine that happening, and who wants your cloud providers snooping around your data just because you put it in an open blob? All your data and test case design should be testing data protection and security items. If you’re currently working at a organization where developers and DBAs are told that the security team’s role is to conduct security testing, then it’s time to stand up and say ‘no, it should be part of our development environment’.”

That’s a lot like DevOps — or DevSecOps as the current craze is — and Lopez’s co-host at the summit, Ian Thornton-Trump, had his own prediction about that.

“I want to talk about the future and how I see DevOps merging with DevSecOps, supported by a cyber-threat intelligence program,” said the CISO at Cyjax.

“I say this, with all due respect to the managed service providers out there, IT is security and security should be IT.”

Ian Thornton-Trump, CISO, Cyjax

“This is so, I think, important for reducing the amount of silos in your organization between security responsibility, right, and the actual functioning of the IT department. Because I say this, with all due respect to the managed service providers out there , IT is security and security should be IT.”

Lopez also discussed DevOps in her presentation. “If you’re new to DevOps, and DataOps and all the other Ops coming up – I even saw OpsOps, operations ops recently, which confused me – if you’re new to that way of thinking about coding and implementation, you should Also think about securing your DevOps pipeline and your resource management so you can understand what’s happening as you run development.”

She also gave some highlights that echo the thoughts she expressed in her presentation:

  • inappropriate complexity increases security risks. But data is complex. If you want to build complexity, go out and make the world simpler and come back to me.
  • You can’t protect data that you don’t know your organization is collecting and storing.
  • Asking people what data is being collected will never be enough to find all the data.
  • Data masking works best when the masking is standardized.
  • Attackers are changing their methods, so we need to change the way we think about security.

Of course, Lopez and Thornton-Trump discussed many more data security concerns, with Lopez providing this list of best practice thoughts:

Best Practices
[Click on image for larger view.] Best Practices (source: OWASP).

As mentioned, the top is available for on-demand viewing if you want to see those best practices fleshed out with many more expert insights.

More live security summits are coming, offering benefits like real-time Q&A with presenters (not to mention a chance at a prize). Some of the things on the agenda in the coming weeks include:

About the author

David Ramel is an editor and writer for Converge360.

Leave a Comment