Pwned Passwords – Have Your Credentials Been Stolen?

By Paul Sullivan, Software Engineer, Bitglass

hacker in a hoodie with credit cards, computer screenData breaches now seem to be a daily occurrence. In recent months, Have I Been Pwned (HIBP) introduced  Pwned Passwords, which allows you to securely check your password against a database of breach data. There are over 280 breaches in the database, and that’s only the tip of the iceberg. Breaches aren’t just a problem for the users who lose their data, but for the companies responsible for it.   

So how does all this data get breached?

Surely, it was some sinister character in a hoodie with extensive knowledge of computers, right? As it turns out, many of the data breaches came from misconfigured databases and Amazon S3 buckets that were left wide open for anyone who knows where to look. S3 is easy to use, which is great for security-conscious developers. However, it also makes it easy for someone who doesn’t understand security to toss some data into the cloud (so that it’s publicly viewable) and forget about it. As noted by Troy Hunt, the security researcher who runs HIBP, one company was breached because it stored personal data from IoT devices in MongoDB and Amazon S3 buckets with no credentials. It’s not just small, unorganized companies that make these mistakes either. Big corporations are losing track of their configurations, too.

Proper training is a good way to help with these problems, but it’s not always enough. Fortunately, a cloud access security broker (CASB) can help keep S3 and other cloud data secure by encrypting the data at rest. That way, even if data can be accessed by unauthorized parties, it is still unreadable and protected. A CASB can also provide auditing and analytics tools to help detect suspicious activity so that data breaches can be detected early as well as prevented from happening in the first place.

US CLOUD Act Drives Adoption of Cloud Encryption

By Rich Campagna, Chief Marketing Officer, Bitglass

police badge close-upThe US Clarifying Lawful Overseas Use of Data (CLOUD) Act was quietly enacted into law on March 23, 2018. I say quietly due to the controversial nature of how it was passed—snuck into the back of a 2,300 page Federal spending bill on the eve of Congress’ vote. While debate rages on about both the way the bill was passed, and about the wide latitude the Act gives to the President and the State Department, the fact remains that it has been signed into law, and organizations need to start planning how to respond. For many, both in the US and abroad, that planning has drawn increased interest in Cloud Access Security Brokers (CASBs), and specifically, in cloud encryption.

The CLOUD Act is meant to expedite law enforcement access to online/cloud data, specifically when that data is stored abroad. CLOUD is an update to the Electronic Communications Privacy Act (ECPA), which was passed in 1986, long before cloud was even a twinkle in any entrepreneur’s eyes. Under ECPA, the only way for the US and a foreign government to exchange such data was under a Mutual Legal-Assistance Treaty (MLAT), which must be passed by a 2/3 vote of the Senate.

(Enough Four or Five Letter Acronyms (FFLAs) in this post for you yet?)

Cloud(y) with a chance of encryption

Under the CLOUD Act, US Law Enforcement Agencies, at any level, can require tech companies to turn over user data, whether that data is stored in the US or abroad. CLOUD also allows the President and/or State Department to enter into law enforcement data sharing agreements with ANY foreign government without approval from Congress.

The CLOUD Act eliminates the need for the foreign entity to show probable cause or obtain a search warrant to request access to this information. While a cloud service provider (CSP) can deny this access, forcing the requester back to the much more time consuming MLAT process, there is no assurance to enterprises that they will do this, putting the onus on the enterprise to take additional security measures to control access to their data.

The fix? Cloud encryption, typically implemented via CASB solutions.

Choosing a cloud encryption solution

Cloud encryption allows an organization to leverage cloud applications, while at the same time encrypting sensitive data with keys that the enterprise controls. Such a scheme combines the mobility, productivity and agility advantages of using the cloud, with the security of a private data center.

Not only does encryption help mitigate concerns over rogue CSP admins or hacking attacks by malicious outsiders, but in the event that a CSP turns over data as part of a now lawful request by US or Foreign Government agency, that data is useless to the third party without the cooperation of the enterprise.

What to look for in an encryption solution?

1) Preservation of cloud app functionality

2) Full-strength, peer-reviewed encryption algorithms

3) Full enterprise control over encryption keys