We are barely a month into 2019, and this is the third time we’ve written about a data leak stemming from an unprotected ElasticSearch server.
The first two offenders:
The third offender, according to TechCrunch, was a data and analytics company for the financial industry, based in Fort Worth, Texas, named Ascension. “The company provides data analysis and portfolio valuations. Among its services, the Ascension converts paper documents and handwritten notes into computer-readable files — known as OCR.”
More than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., leaked from an ElasticSearch server that was left exposed online without a password.
TechCrunch reported that more than a decade’s worth of data, containing loan and mortgage agreements, and other highly sensitive financial and tax documents were revealed in the misconfiguration, as well as names, addresses, birth dates, Social Security numbers and bank and checking account numbers, and details of loan agreements.
Why are so many ElasticSearch databases being exposed?
ElasticSearch is an open source, standalone database server developed in Java. Basically, it is used for full-text-search and analysis. It takes in unstructured data from various sources and stores it in a sophisticated format that is highly optimized for language based searches.
Like so many AWS, GCP, Azure, and Alibaba cloud services, ElasticSearch Service is an incredibly powerful and useful service. It is also very challenging for IT professionals, developers, and engineers to consistently configure these powerful services in a way that mitigates security and compliance risk.
First, it is a daunting task to learn about how to configure ever-evolving cloud services correctly — it is like drinking from a firehose. Second, it is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.
In the Financial Service Industry in particular, organizations are experiencing a culture shift as they respond to consumer demand for improved experiences delivered when and how they want them. Building applications and migrating regulated workloads to Amazon Web Services, Microsoft Azure, and Google Cloud Platform offers an attractive way to speed innovation, time to market, and resilience. For financial service organizations to take full advantage of the opportunities public cloud offers, they must ensure that their customers are comfortable with this shift, that clear cloud governance standards are defined, and that they can present evidence of compliance to assessors and auditors.
What’s the solution?
Organizations need an automated cloud security solution that provides the automation essential to enforce policy, thus reducing risk, provide governance, impose compliance, and increase security across large-scale hybrid cloud infrastructure. Security automation should take the pain out of making cloud infrastructures secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process. By utilizing security automation, companies can stay agile and innovate, while maintaining the integrity of their technology stack and apply the policy they deem necessary to operate their business.
Core to a company’s solution should be an easy-to-use interface from which clients can manage their existing cloud infrastructure. At scale, policy enforcement cannot and should not be performed manually. Security automation can discover and automatically take action to address policy infringements or security issues (like an exposed ElasticSearch Database). It also allows for simultaneous offense and defense, resulting in increased innovation and a reduction of risk.
Interested in learning more? Speak with a DivvyCloud expert today! Or, if you’re in the financial services industry, check out our guide: Ensuring Cloud Security and Compliance in the FInancial Services Industry.
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.