Home
%3CLINGO-SUB%20id%3D%22lingo-sub-222667%22%20slang%3D%22en-US%22%3EGain%20transparency%20of%20your%20IaaS%20solutions%20with%20Microsoft%20Cloud%20App%20Security%20(Part%201)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-222667%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%202-part%20series%20we%20will%20discuss%20the%20security%20risks%20that%20IaaS%20solutions%20can%20pose%20on%20your%20organization%20and%20explore%20how%20Microsoft%20Cloud%20App%20Security%2C%20Microsoft%E2%80%99s%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.gartner.com%2Fit-glossary%2Fcloud-access-security-brokers-casbs%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECloud%20Access%20Security%20Broker%3C%2FA%3E%3C%2FSPAN%3E%20(CASB)%2C%20can%20help%20you%20detect%20vulnerabilities%2C%20govern%20existing%20security%20gaps%20and%20ensure%20ongoing%20visibility%20into%20the%20exposure%20and%20overall%20security%20of%20Amazon%20Web%20Services%20(AWS)%20and%20Azure%20environments.%20In%20part%201%20we%20will%20take%20a%20closer%20look%20at%20AWS%20and%20more%20specifically%20S3%20buckets.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAWS%20S3%20buckets%20continue%20to%20be%20a%20security%20gap%20in%202018%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%202018%2C%20we%20saw%20major%20news%20items%20about%20misconfigured%20AWS%20S3%20buckets%20nearly%20every%20month.%20One%20of%20the%20most%20recent%20cases%20was%20the%20misconfiguration%20by%20a%20Virginia-based%20campaign%20and%20robocalling%20company%2C%20which%20left%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fus-voter-data-exposed-by-robocall-firm%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehundreds%20of%20thousands%20of%20voter%20records%20publicly%20exposed%3C%2FA%3E%3C%2FSPAN%3E.%20This%20year%20alone%2C%20these%20misconfigurations%20have%20led%20to%20more%20than%2050%20million%20exposed%20records.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20these%20cases%2C%20the%20exposure%20was%20not%20a%20result%20of%20cyber-attacks%2C%20instead%20these%20companies%20misconfigured%20their%20AWS%20S3%20buckets%2C%20leaving%20highly%20sensitive%20data%20like%20scanned%20IDs%2C%20user%20accounts%20and%20passwords%2C%20vulnerable%20and%20publicly%20accessible.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUnderstanding%20the%20risk%20for%20exposure%20in%20S3%20buckets%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAWS%20S3%20buckets%20provide%20scalable%20cloud%20storage%2C%20but%20the%20ease%20of%20management%20and%20deployment%20can%20also%20be%20a%20pitfall%20for%20the%20security%20of%20this%20solution.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ES3%20buckets%20are%20set%20to%20%E2%80%9Cprivate%E2%80%9D%20by%20default%20when%20they%20are%20created%2C%20but%20for%20varying%20reasons%20AWS%20admins%20will%20configure%20to%20expose%20data%20publicly%20and%20make%20it%20accessible%20through%20the%20web.%20A%20good%20example%20is%20the%20hosting%20of%20a%20website%2C%20where%20a%20bucket%20must%20have%20public%20read%20access%20to%20make%20the%20website%20accessible%20to%20anyone.%20In%20the%20cases%20of%20the%20recent%20headlines%20however%2C%20this%20configuration%20was%20done%20mistakenly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOne%20of%20the%20liabilities%20is%20that%20the%20URLs%20of%20S3%20buckets%20can%20be%20guessed%2C%20because%20the%20bucket%20names%20are%20chosen%20by%20the%20user%20and%20if%20the%20right%20URL%20is%20known%2C%20anyone%20with%20access%20to%20the%20internet%20can%20retrieve%20the%20data%20that%20was%20made%20publicly%20accessible.%20For%20example%2C%20if%20a%20bucket%20is%20named%20%E2%80%9CContoso%E2%80%9D%2C%20an%20attacker%20only%20needs%20to%20guess%20%3CSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fcontoso.s3.amazonaws.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fcontoso.s3.amazonaws.com%3C%2FA%3E%3C%2FSPAN%3E%20to%20gain%20access.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDetect%20and%20Protect%20your%20cloud%20storage%20with%20Microsoft%E2%80%99s%20CASB%20solution%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fcloud-platform%2Fcloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Cloud%20App%20Security%3C%2FA%3E%3C%2FSPAN%3E%20(MCAS)%20is%20a%20CASB%20solution%20that%20gives%20you%20visibility%20into-%20and%20provides%20controls%20for%20your%20environment%20of%20cloud%20apps%20and%20services.%20Using%20the%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fconnect-aws-to-microsoft-cloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAWS%20App%20Connector%3C%2FA%3E%3C%2FSPAN%3E%2C%20you%20can%20gain%20insights%20into%20the%20activities%20across%20your%20environments%2C%20such%20as%20log-ons%20or%20administrative%20activities.%3C%2FP%3E%0A%3CP%3EFor%20AWS%2C%20Microsoft%20Cloud%20App%20Security%20can%20also%20detect%20publicly%20exposed%20S3%20buckets%20and%20you%20can%20leverage%20MCAS%20to%20ensure%20the%20right%20access%20levels%20for%20your%20AWS%20S3%20buckets%20are%20in%20place%20and%20help%20prevent%20the%20exposure%20of%20your%20data.%20When%20open%20S3%20buckets%20are%20detected%2C%20you%20can%20choose%20to%20either%20automatically%20apply%20governance%20actions%2C%20or%20to%20evaluate%20the%20details%20of%20an%20alert%2C%20before%20adjusting%20the%20access%20levels%20manually.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F38708i8F078519252335A7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AWS%20Screenshot.png%22%20title%3D%22AWS%20Screenshot.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EOverview%20of%20AWS-specific%20detections%20in%20Microsoft%20Cloud%20App%20Security%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMore%20info%20and%20feedback%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ELearn%20how%20to%20connect%20Microsoft%20Cloud%20App%20Security%20to%20your%20AWS%20environment%20with%20our%20detailed%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fconnect-aws-to-microsoft-cloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Etechnical%20documentation%3C%2FA%3E%3C%2FSPAN%3E.%20Don%E2%80%99t%20have%20Microsoft%20Cloud%20App%20Security%3F%20Start%20a%20free%20trial%20today!%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%20want%20to%20hear%20from%20you!%20If%20you%20have%20any%20suggestions%2C%20questions%2C%20or%20comments%2C%20please%20visit%20us%20on%20our%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Cloud-App-Security%2Fbd-p%2FMicrosoftCloudAppSecurity%22%20target%3D%22_blank%22%3ETech%20Community%20page%3C%2FA%3E%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESources%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fthreatpost.com%2Fleaky-amazon-s3-bucket-exposes-personal-data-of-12000-social-media-influencers%2F129810%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOctoly%20AWS%20S3%20exposure%3C%2FA%3E%3C%2FSPAN%3E%20(February%202018)%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.scmagazineuk.com%2Faws-s3-bucket-managed-by-walmart-jewellery-partner-exposes-info-on-13m%2Farticle%2F751853%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMBM%20AWS%20S3%20exposure%20news%3C%2FA%3E%3C%2FSPAN%3E%20(March%202018)%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.theregister.co.uk%2F2018%2F04%2F19%2F48_million_personal_profiles_left_exposed_by_data_firm_localblox%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELocalbox%20AWS%20S3%20exposure%3C%2FA%3E%3C%2FSPAN%3E%20(April%202018)%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.scmagazine.com%2F32-million-la-county-211-records-exposed-on-misconfigured-aws-s3-bucket%2Farticle%2F767888%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EL.A.%20country%20AWS%20S3%20exposure%20news%3C%2FA%3E%3C%2FSPAN%3E%20(May%202018)%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.scmagazineuk.com%2Fopen-aws-s3-bucket-exposes-info-on-50000-honda-india%2Farticle%2F770068%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHonda%20India%20AWS%20S3%20exposure%3C%2FA%3E%3C%2FSPAN%3E%20(June%202018)%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fus-voter-data-exposed-by-robocall-firm%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EVirginia%20based%20campaign%20and%20robocalling%20company%3C%2FA%3E%3C%2FSPAN%3E%20(July%202018)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-222667%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EIn%20this%202-part%20series%20we%20will%20discuss%20the%20security%20risks%20that%20IaaS%20solutions%20can%20pose%20on%20your%20organization%20and%20explore%20how%20Microsoft%20Cloud%20App%20Security%2C%20Microsoft%E2%80%99s%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.gartner.com%2Fit-glossary%2Fcloud-access-security-brokers-casbs%2F%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ECloud%20Access%20Security%20Broker%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(CASB)%2C%20can%20help%20you%20detect%20vulnerabilities%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-222667%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Cloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

In this 2-part series we will discuss the security risks that IaaS solutions can pose on your organization and explore how Microsoft Cloud App Security, Microsoft’s Cloud Access Security Broker (CASB), can help you detect vulnerabilities, govern existing security gaps and ensure ongoing visibility into the exposure and overall security of Amazon Web Services (AWS) and Azure environments. In part 1 we will take a closer look at AWS and more specifically S3 buckets.

 

AWS S3 buckets continue to be a security gap in 2018

In 2018, we saw major news items about misconfigured AWS S3 buckets nearly every month. One of the most recent cases was the misconfiguration by a Virginia-based campaign and robocalling company, which left hundreds of thousands of voter records publicly exposed. This year alone, these misconfigurations have led to more than 50 million exposed records.

 

In these cases, the exposure was not a result of cyber-attacks, instead these companies misconfigured their AWS S3 buckets, leaving highly sensitive data like scanned IDs, user accounts and passwords, vulnerable and publicly accessible.

 

Understanding the risk for exposure in S3 buckets

AWS S3 buckets provide scalable cloud storage, but the ease of management and deployment can also be a pitfall for the security of this solution.

 

S3 buckets are set to “private” by default when they are created, but for varying reasons AWS admins will configure to expose data publicly and make it accessible through the web. A good example is the hosting of a website, where a bucket must have public read access to make the website accessible to anyone. In the cases of the recent headlines however, this configuration was done mistakenly.

 

One of the liabilities is that the URLs of S3 buckets can be guessed, because the bucket names are chosen by the user and if the right URL is known, anyone with access to the internet can retrieve the data that was made publicly accessible. For example, if a bucket is named “Contoso”, an attacker only needs to guess http://contoso.s3.amazonaws.com to gain access.

 

Detect and Protect your cloud storage with Microsoft’s CASB solution

Microsoft Cloud App Security (MCAS) is a CASB solution that gives you visibility into- and provides controls for your environment of cloud apps and services. Using the AWS App Connector, you can gain insights into the activities across your environments, such as log-ons or administrative activities.

For AWS, Microsoft Cloud App Security can also detect publicly exposed S3 buckets and you can leverage MCAS to ensure the right access levels for your AWS S3 buckets are in place and help prevent the exposure of your data. When open S3 buckets are detected, you can choose to either automatically apply governance actions, or to evaluate the details of an alert, before adjusting the access levels manually.

 

Overview of AWS-specific detections in Microsoft Cloud App SecurityOverview of AWS-specific detections in Microsoft Cloud App Security

More info and feedback

Learn how to connect Microsoft Cloud App Security to your AWS environment with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Sources:

Octoly AWS S3 exposure (February 2018)

MBM AWS S3 exposure news (March 2018)

Localbox AWS S3 exposure (April 2018)

L.A. country AWS S3 exposure news (May 2018)

Honda India AWS S3 exposure (June 2018)

Virginia based campaign and robocalling company (July 2018)