On Thursday morning, February 20, 2020, people in tune with cybersecurity news woke to read that the private information of almost 11 million guests that stayed at the MGM Grand hotel and casino was posted publicly on a hacking forum. Justin Bieber, Twitter CEO Jack Dorsey, Government Officials and millions of other visitors had their personal information – including active cellphone numbers – posted to a public forum in a batch of data. The effects of this hotel data leak may be even more insidious than some expect.
The last big breach of hotel data was when Marriott was compromised in 2018. It was attributed to alleged Chinese-sponsored attackers for the purposes of intelligence and perhaps ultimately coercion. Statecraft by intelligence organizations often relies on basic information such as how and where to find people. Getting this information in bulk or using it to verify existing data is a key component to building an effective intelligence program. This information leak would be quite useful for those purposes given the high-profile patrons on the list.
Because the MGM information was posted to a public forum, the perpetrators are unlikely affiliated with the Marriott breach. However, the widely-available MGM information could be just as useful to malicious parties. While sensitive information such as payment card was not included in the breach, this situation could be devastating to MGM for a long time given reputational repercussions and potential fines from privacy regulations. Despite discovering the breach and notifying customers over a year ago, MGM management is losing sleep over the breach again.
The cause of this breach was an unsecured cloud server. An unfortunately common situation, this breach illustrates how critical it is to establish and enforce effective policies around storage of data in cloud servers for your own organization and for third parties with access to your sensitive data. Cloud infrastructure is fundamentally different from traditional hosted environments. In a traditional hosted environment, it is possible to wall off your little slice of the Internet; the cloud does not have such easily definable walls. Cloud service providers often define the confines of virtual boundaries – how you verify and grant access to individual users to protect your data.
With Digital Transformation, more services and data have migrated cloud, both within organizations and outsourced third parties. The fundamentally different infrastructure of the cloud requires a fundamentally different approach to risk management. The emerging technologies described below are equipped to handle securing data in the cloud:
- Cloud Application Security Brokers or CASB are technologies monitoring web traffic, from users to cloud service providers. CASBs provide visibility into what your users are doing. CASBs allow you to shut down unacceptable behavior. From a Third Party Risk perspective,CASBs offer a view into vendors you may have serving your company that you were not aware of – a particularly elusive but critical task. According to Gartner, in 2017, only 5% of enterprises used CASBs despite high hopes for wide adoption. Gartner’s Hype Cycle for 2018 reveals CASB was in the “Trough of Disillusionment,” meaning early expectations were not met. In Gartner’s 2019 report, CASB appears to have entered the “Slope of Enlightenment,” where real value is realized at a better pace.
- Cloud Security Posture Management or CSPM is a newer cloud security technology that helps you lock down insecurity. It includes reporting on intrusion detection and security-relevant events and ensures configuration settings comply with security and regulatory requirements. CSPMs take the place traditional intrusion detection and configuration management systems found in non-cloud environments.
- Major cloud infrastructure service providers often offer proprietary security solutions included or available as an add-on service. Services similar to CSPM as well as identity management and encryption can be sourced from cloud security providers. As an example, in response to an epidemic of unsecured Amazon Web Services (AWS) S3 buckets (cloud file folders with a specific URL), AWS created a series of features that notified users when they created insecure buckets and provided configuration settings/tools to help lock down vulnerabilities.
From a third party risk perspective, it is important to understand which of your vendors have your sensitive data and to to make sure you are comfortable with how the vendor protects this data. Perform formal assessments or have in-depth conversations about how vendors are storing and protecting your data. Vendors using CASBs properly indicate that the vendor can keep tabs on where their employees keep data. Vendors using CSPMs properly indicate the vendor is making an effort to secure the data. The mere existence of these technologies alone is not a guarantee that data is secured. Personnel need to be assigned and aware of how to manage the technologies. When assessing numerous internal and third party risks, promoting the use of CASBs, CSPMs and proprietary security solutions in cloud security can help you sleep more soundly.