When it comes to the field of cloud-first business strategies and sensitive data, there are few better-known names in the industry than Capital One. In case you haven’t heard, Capital One suffered an immense data breach, which affected approximately 106 million customers. At the base level, Capital One is being held responsible and already facing legal allegations related to their usage of public cloud services for data storage as opposed to more traditional private cloud applications and localized data centers. While this is a trend that is known to reduce costs dramatically, events like this cause one to stop and think… If this can happen to them, what makes my company safe?
Amazon’s AWS has been a powerhouse in the world of cloud-based applications and big data protection. So, when things like this hit the news, everyone in the industry gets put on notice. AWS has several service-level agreements and government contracts. Currently, the House of Representatives Committee on Oversight and Reform sent Amazon a letter related to a request for a briefing on the security measures AWS has in place against vulnerabilities. This is strongly related to the government’s concerns regarding the vendor’s support of the 2020 Census as well as other government data.
Exactly what “government contract” is on the line? Currently, the Department of Defense has narrowed down the finalists for a cloud management contract valued at approximately ten billion dollars between Amazon and Microsoft. Seeing the strong similarities in Microsoft’s Azure and Amazon’s AWS regarding user interface and capabilities and considering it’s a contract with the Department of Defense — you better believe data security best practices are a top priority.
This whole debacle has brought many expert opinions into the fray and the consensus is, basically, that nothing is perfect. As you know, companies like Amazon and Microsoft have top-level talent when it comes to cloud security management, engineers, and architects, but for each person working tirelessly to protect your data, there is likely someone on the same skill level trying to access secure data illegally. This is the world we live in. One in which many thefts have shifted from breaking and entering to a digital data heist. Thus, when it comes to who is responsible for protecting your data, it falls away from the cloud providers and onto the shoulders of the clients and how they set up their data configurations and encryption protocols.
The challenge with configuration falling to the cloud service client relates to the default setting. For AWS, the default was originally set to “public” (though now it is set to private). Thus, many companies utilizing this software did not properly adjust default settings, which left their data storage buckets publicly accessible and searchable on the internet.
Should AWS be to blame for this? Or does this fall on the shoulders of the client who “didn’t read the fine print”? This modern conundrum is akin to something business owners and operators have known for a long time: the competition is always looking for an edge. Now, we could spend countless hours discussing ethics and morality in the world of big data and business intelligence, but we’ll save that for another time. The takeaway here is that when it comes to protecting both your personal data as well as that of your clients, you need to hold yourself and your company as accountable as you would any cloud service provider.