Capital One's technology will face intense scrutiny as the investigation continues into its data breach, which affected 106 million customers. In a risk-averse industry, critics will question the financial services firm's decision to readily invest in public cloud.
Already, Capital One is facing legal challenges.
Capital One's cloud provider Amazon Web Services is also facing regulator pressure. The House Committee on Oversight and Reform sent a letter to Amazon CEO Jeff Bezos on Thursday requesting a briefing on AWS security protocols.
AWS has several government contracts, and the committee is concerned about the vendor's support of the 2020 census and other government data.
The attention comes as the Pentagon plans to award a cloud contract valued at $10 billion to one of two finalists: AWS or Microsoft. However, the Defense Department is delaying the decision until the new defense secretary can review the contract.
The cloud is maturing and more companies are adopting a cloud-first strategy. High-profile breaches undermine its reputation, causing a duel that pits technologists against nontechnical business leaders.
Cloud security and architecture is a shared responsibility. It requires companies to pay close attention to settings and adopt security defaults. Cloud providers, in turn, can focus on service simplicity.
In fact, cloud services providers are emerging as next-generation security vendors, with products ranging from chaos engineering to data loss prevention products. Their built-in security is threatening pure-play firms specializing in offerings such as event or identity and access management.
Though Capital One suffered a breach, its decision to heavily invest in public cloud technology and adopt AWS is still "spot on," said M. David Peterson, cloud architect at MasterControl.
Capital One made a mistake in not encrypting data, but there is always a way into systems, Peterson said, in an interview with CIO Dive. Amazon has industry's leading security experts making sure no one gains access to the technology.
Configuration, however, is another matter entirely.
The misconfiguration of S3
Amazon Simple Storage Service, S3, is a widely used solution companies rely on for ready access to data from anywhere on the internet.
Although reliable, S3 also pops up in the news because of misconfigured databases, which leave data publicly exposed to the internet.
Last month, a researcher at UpGuard found three publicly accessible buckets, affecting companies such as Netflix and TD Bank. Attunity, a data management company, had misconfigured the storage buckets, according to UpGuard.
A similar configuration error has exposed customer data at FedEx, too.
Industry has seen a "massive number" of data leaks from S3, said Mark Nunnikhoven, vice president of cloud research at Trend Micro, in an interview with CIO Dive. In "every one of those cases," the leaks occurred because data was set to be publicly readable.
In the past, S3 was public by default, in a cloud era where companies were still prioritizing convenience and an "easy-to-use" model over security. Now, S3 is locked down by default.
AWS has added services designed to prevent misconfigurations. It also has strong defaults and pop-up warnings which note if a bucket has public settings.
Other leading providers — Microsoft Azure and Google Cloud — have their own "flavor," but all have top-notch security, Nunnikhoven said. One of the reasons industry hears more about S3 is because it has "trillions of data objects in it."
S3 is a massive part of the AWS cloud, and AWS is the cloud market leader. It is natural that industry hears more about it. It's the same reason you hear more about malware on Windows than on Mac or Linux, he said. "It's a function of market share, not technology."
Capital One's misconfiguration was different. The company did not leave S3 readily open to the public. Instead, its web application firewall had too many permissions assigned to it, according to Nunnikhoven.
Think of it this way, Nunnikhoven said: An employee has an access card to get into their office and is allowed to go to first floor but not to the second, third or fourth.
"Essentially this was a misconfiguration that allowed your access card to access all four floors, and somebody stole your access card," he said.
Although industry blames Capital One for the configuration error, the vendor is not assigned blame. But should it be?
It's part of the shared responsibility model, Venkat Ramasamy, COO of FileCloud, told CIO Dive.
Identity management is not easy, and there are different levels of permissions in the cloud. AWS and the other cloud vendors could "simplify things," Ramasamy said. A cloud service provider cannot completely "abdicate" security responsibility.
It's like hiring a rental car, he said. When a customer rents a car, he or she expects the brakes and steering wheel to work. But the responsibility is on the customer if he or she is driving in a rash manner.
Capital One's IT maturity
Capital One is a known leader in public cloud implementation. It is a longtime showcase customer of AWS, and executives have appeared on the mainstage of Amazon's annual re:Invent cloud conferences.
The bank is perceived as a traditional player in finance, and "they've really become a software or a services delivery company that just happens to make financial products," Nunnikhoven said. "They're among the leaders in the field and this still happened to them."
The cloud serves as an amplifier, allowing smaller teams to do more with technology. It also requires them to understand how the technologies interact as layers of applications intersect in a company's technology backbone.
Technologists need to read documentation on and understand operational security responsibilities for every additional service from a cloud provider, Nunnikhoven said.
But configuration boils down to two things. Companies deciding:
- What they are going to store, and
- Who is going to access it
Simple at face value, it becomes a complex problem when more services are added.
The Capital One breach is a victim of old technology habits, Peterson said. "Why store anything on S3 unencrypted?"
Experts have warned, time and again, this breaches are inevitable. Encryption can allow companies to save face from data exposure. If the exposed data is encrypted, an incident becomes a close call rather than a disaster.
Numerous people, from system administrators to developers, are responsible for ensuring that cloud access and encryption is configured correctly. Developers need to think about encryption with everything, Peterson said.
The cloud is a massively complex system and even with a strong IT team, it can be difficult to control, Ramasamy said. If a breach hits a company with the technology maturity of Capital One, "how much more are we going to see?"