MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured.

While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data.

This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI.

In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed data. While there are reasons why organizations would want their Amazon S3 buckets accessible over the Internet without the need for authentication, in most cases stored data should be protected.

To reduce the potential for data exposure, Amazon is implementing a warning system that will alert users when authentication controls are not active. A bright orange button will now appear throughout the AWS console to alert users when their S3 buckets are accessible without the need for authentication. Administrators will be able to control the privacy settings of each S3 bucket using an access control list, and publicly available buckets will be clearly displayed. Daily and weekly reports will also highlight which buckets are secure, and which are accessible by the public.

MongoDB Update Makes Databases Secure by Default

In addition to the data breaches resulting from exposed Amazon S3 buckets, many organizations have reported breaches involving unsecured MongoDB databases this year. Worldwide, more than 27,000 organizations had their databases accessed, data stolen, and their databases deleted. The attackers issued demands for payment to return the stolen data.

While MongoDB incorporates all the necessary safeguards to prevent unauthorized accessing of databases, those safeguards must be activated. Many organizations failed to realize that the default configuration was not secure.

MongoDB has responded to the breaches and has taken the decision to implement default security controls for the new version of the database platform, which is scheduled to be released next month. MongoDB 3.6 will only have localhost enabled by default. Users that require their databases to be accessible over the internet will be required to switch on that feature. Doing so will make the databases accessible by anyone, so to restrict access, authentication controls will need to be manually switched on. The new secure default configuration will make it harder for data to be accidentally exposed online.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.