Top cloud security controls you should be using | CSO Online Another day, another data breach because of poorly configured cloud-based systems. The latest incident, in which up to 6 million customer details for Verizon’s United States customers was exposed, is yet another reminder both the cloud provider and the organization share the responsibility for cloud security.
There is a misconception that the cloud service provider is in charge of securing the cloud environment. That is only half the story. Cloud security providers such as Amazon, Microsoft and Google take care of security for their physical data centers and the server hardware the virtual machines run on, but leave the individual customer in charge of protecting the virtual machines and applications. Cloud providers offer an array of security services and tools to secure customer workloads, but the administrator has to actually implement the necessary defenses. It doesn’t matter what kind of security defenses the cloud provider has in place if the customers don’t protect their own networks, users and applications.
A third-party service provider handled Verizon’s back-office and call center operations and stored all customer call data, which included names, addresses, phone numbers, and account PIN codes of every Verizon customer that called the call center over the past six months, in an Amazon Web Service (AWS) Simple Storage Service (S3) data store. The data collection was meant to help improve customer service experience, but because the S3 bucket was incorrectly configured to allow external access, anyone patient enough to work out the web address would have been able to download the information. Scammers who got their hands on the data would be able to pose as an any Verizon customer on a call and gain access to customer accounts.
No hay comentarios.