Cloud data storage has taken off in popularity across industries including financial services and with credit unions. However, security researchers are warning organizations their private content may be available publicly.

Making sensitive data available to unauthorized users on Amazon's cloud-based Amazon Web Services storage servers (known as buckets) is not new. Over the last year-and-half or so, FedEx, Verizon, the Pentagon, Uber, Verizon, Alteryx, the WWE, the NSA, Dow Jones and some data mining companies have exposed data via misconfigured storage buckets resulted from information exposed on unprotected AWS data repositories.

“All indications suggest that those reports are just the tip of the iceberg, and many more firms are putting themselves, their partners, and innocent members of the public at risk through careless data security,” a BBC report wrote.

The main target according to security experts are servers supporting Amazon's Simple Storage Service storage buckets. A bucket is a unit of storage in AWS object storage service; S3 buckets store objects, consisting of data and metadata. An S3 patron must generate a bucket before stockpiling data in Amazon's public cloud and specify access privileges by means of the AWS Policy Generator. SimilarTech claimed almost 400,000 websites currently use S3 buckets.

A new study from European-based HTTPCS found out of 100,000 buckets surveyed 10 percent were public in that they allowed any worldwide user some form of access; 58 percent of the public buckets contained readable publicly accessible, many with legitimate reasons; and 20 percent of publicly accessible buckets are writable, which could allow hackers to use the public buckets for more attacks, serving or controlling malware at the bucket owner's expense.

Attackers can also encrypt breached data found in the buckets and attempt to hold it for ransom.

How this relates to the credit union industry stems from them starting to leverage cloud technologies particularly when utilizing fintechs. Xerex Bueno, CTO for Layton, Utah-based CUSO CUProdigy, pointed out these last rounds of published breaches resulted from improperly configured cloud environments. “Misconfiguration is the number one reason why there've been so many issues around breaches,” Bueno said. “a lot of it has to do with people adopting cloud technologies, who are unfortunately not the masters in that domain and making non-malicious configuration mistakes that are actually exposing themselves to the world.”

Bueno explained individuals or companies inadvertently make S3 storage buckets viewable and readable publicly. “That means anybody who figures out the S3 storage bucket URL has basically full rights to take all the information that's in that bucket and copy it out.”

So, credit unions need to understand these security risks of cloud storage. “If they're not a hundred percent familiar with the space or know what's going on with it, they should really find a partner with a company that has a lot of cloud experience.”

Bueno explained CUProdigy offers protection by being a trusted technology partner. “We take a very consultative approach to working with credit unions who want to leverage cloud technologies to ensure that they don't end up in the news for the wrong reasons.”

Bueno suggested a credit union's journey to the cloud is just an eventual reality because of the economies of scale, performance, reliability, security, and disaster recovery. All those are challenges for a lot of credit unions that the cloud can solve, Bueno maintained. “I would urge credit unions that as they start this journey, they really find an organization that understand what it means to be a credit union and what that member data actually means at the end of the day. “

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).