Tuesday, June 20, 2017

amazon EBS breaches - from report to leak

I first read this article on the 5th of June. Yesterday, 19June, I read this one after a report from Upguard.

The original release does not explain in detail how the records were discoverable but there's no coincidences. The moment I read about it I thought about that first article about permissions and storing large sets of data in a cloud service while not caring for permissions. Expect more.

A few considerations
* this is mostly Americans, but had it happened in the EU and by next year, the party would be bankrupt [memo to self: does GDPR apply to political parties?]

* the same way a hard disk is just a tool to store information, it sits passively on the security chain. A hard disk has no notion of permissions. It is the OS and controls around it (such as encryption) that secures it against unauthorised access. Nobody, unless very technical, should have access to the hardware directly. A cloud storage service works the same way. Directly manipulating data so sensitive (even ethnicity and religion, the worst possible kind of leak) should never be done in bulk as it is half way to loose track of it. The proven way of handling personal data is by understanding how it flows and, at each processing point, who has access to it and where is lies.


No comments:

Post a Comment