Capital One breach raises questions about security and cloud-first strategies

Capital One’s technology will face intense scrutiny as the investigation continues into its data breach, which impacted 106 million customers. In a risk-averse industry, critics will question the financial services firm’s decision to readily invest in public cloud

Already Capital One is facing legal challenges

Capital One’s cloud provider Amazon Web Services is also facing regulator pressure. The House of Representatives Committee on Oversight and Reform sent a letter to Amazon CEO Jeff Bezos Thursday requesting a briefing on AWS security protocols

AWS has multiple government contracts and the committee is concerned about the vendor’s support of the 2020 Census and other government data. 

The attention comes as the Pentagon plans to award — choosing between finalists AWS and Microsoft — a Department of Defense cloud contract valued at $10 billion. However, the agency is delaying the decision until the new Defense Secretary can review the contract.  

The cloud is maturing and more companies are adopting a cloud-first strategy. High-profile breaches undermine its reputation, causing a duel pitting technologists against nontechnical business leaders.

Cloud security and architecture is a shared responsibility. It requires companies to pay close attention to settings and adopt security defaults. Cloud providers, in turn, can focus on service simplicity.

In fact, cloud services providers are emerging as next-generation security vendors, with products ranging from chaos engineering to data loss prevention products. Their built-in security is threatening pure-play firms specializing in offerings like event or identity and access management.

Though Capital One suffered a breach, its decision to heavily invest in public cloud technology and adopt AWS is still “spot on,” said M. David Peterson, cloud architect at MasterControl. 

Capital One made a mistake in not encrypting data, but there is always a way into systems, Peterson said, in an interview with CIO Dive. Amazon has industry’s leading security experts making sure no one gains access to the technology. 

Configuration, however, is another matter entirely.

The misconfiguration of S3

Amazon Simple Storage Service, S3, is a widely-used solution companies rely on for ready access to data from anywhere on the internet. 

While reliable, S3 also pops up in the news because of misconfigured databases, which leave data publicly exposed to the internet. 

Last month, a researcher at UpGuard found three publicly accessible buckets, affecting companies like Netflix and TD Bank. Attunity, a data management company, had misconfigured the storage buckets, according to UpGuard.

A similar configuration error has exposed customer data at FedEx too.

Industry has seen a “massive number” of data leaks from S3, said Mark Nunnikhoven, VP of cloud research at Trend Micro, in an interview with CIO Dive. In “every one of those cases,” the leaks occurred because data was set to be publicly readable. 

In the past, S3 was public by default, in a cloud era where companies were still prioritizing convenience and an “easy-to-use” model over security. Now, S3 is locked down by default. 

AWS has added services designed to prevent misconfigurations. It also has strong defaults and pop-up warnings which note if a bucket has public settings. 

The other leading providers, like Microsoft Azure and Google Cloud, have their own “flavor,” but all have top-notch security, Nunnikhoven said. One of the reasons industry hears more about S3 is because it has “trillions of data objects in it.” 

S3 is a massive part of AWS cloud and AWS is the cloud market leader. It is natural industry hears more about it. It’s the same reason you hear more about malware on Windows than on Mac or Linux, he said. “It’s a function of market share, not technology.”

Capital One’s misconfiguration was different. The company did not leave S3 readily open to the public. Instead, its web application firewall had too many permissions assigned to it, according to Nunnikhoven. 

Think of it this way, Nunnikhoven said: An employee has an access card to get into their office and are allowed to go to first floor, but not to the second, third or fourth. 

“Essentially this was a misconfiguration that allowed your access card to access all four floors, and somebody stole your access card,” he said. 

While industry critiques Capital One for the configuration error, the vendor is not assigned blame. But, should it?

It’s part of the shared responsibility model, Venkat Ramasamy, COO of FileCloud, told CIO Dive. 

Identity management is not easy and there are different levels of permissions in the cloud. AWS and the other cloud vendors could “simplify things,” said Ramasamy. A CSP cannot completely “abdicate” security responsibility.

It’s like hiring a rental car, he said. When a customer rents a car, they expect the brakes and steering wheel to work. If the customer is driving in a rash manner, the responsibility is on them.

Capital One’s IT maturity

Capital One is a known leader in public cloud implementation. It is a long-time showcase customer of AWS and executives have appeared on the mainstage of Amazon’s annual re:Invent cloud conferences. 

The bank is perceived as a traditional player in finance and “they’ve really become a software or a services delivery company that just happens to make financial products,” Nunnikhoven said. “They’re among the leaders in the field and this still happened to them.”

The cloud serves as an amplifier, allowing smaller teams to do more with technology. It also requires them to understand how the technologies interact as layer upon layer of applications intersect in a company’s technology backbone. 

Every additional service from a cloud provider is another thing technologists need to read documentation on and understand operational security responsibilities, Nunnikhoven said.

But configuration boils down to two things. Companies deciding: 

Simple at face value, it becomes a complex problem when more services are added. 

The Capital One breach is a victim of old technology habits, Peterson said. “Why store anything on S3 unencrypted?” 

Encryption and decryption used to be a bigger deal and going through the process was difficult, said Peterson. But in S3 it is configured automatically to encrypt it should remain the standard. 

Experts have warned, time and again, breaches are inevitable. With encryption, it can allow companies to save face from data exposure. If the exposed data is encrypted, an incident becomes a close call rather than a disaster. 

Numerous people are responsible for ensuring cloud access and encryption is configured correctly, from system administrators to developers. Developers need to think about encryption with everything, Peterson said.

The cloud is a massively complex system and even with a strong IT team, it can be difficult to control, Ramasamy said. If a breach hits a company with the technology maturity of Capital One, “how much more are we going to see?”