author photo
By Bruce Sussman
Tue | May 22, 2018 | 9:31 AM PDT

Like a tornado sucking up everything in its path, the cloud is attracting smaller companies than ever before.

One example is a website and app that more than a million parents use, USA Today has praised, and Rosie O'Donnell has even talked about on The View.

"I use TeenSafe," O'Donnell said. "As a parent of five, this is what I’m doing and it’s working.”

Now we know, however, that there was a problem with its cloud security settings.

TeenSafe allows parents to track what their kids do on their phones, including who is calling them, who they are texting, and which websites they are visiting.

And this week, ZDNet broke the story that TeenSafe has exposed thousands of parent and teen usernames, passwords, and Apple IDs.

A security researcher found the information, stored in an unsecured AWS database and in plain text.

Sigh.

Cloud access is so affordable and so easy to sign up for, anyone can do it. 

Are too many companies moving to the cloud? Is our race to the cloud moving too fast? Is cloud adoption too prevalent?

At least some in the security industry think something must change in cloud security.

“This is yet another example of organizations, in this case one developing monitoring applications, deploying in the cloud without understanding the security implications," says Mukul Kumar, Chief Information Security Officer and VP at Cavirin, a provider of cybersecurity risk posture and compliance for the cloud.

"The major public cloud providers are making it so easy and cost effective to consume cloud services, that use is moving further and further into the mid-market, or into organizations without a lot of security background." 

Sanjay Kalra agrees. He's Co-Founder and Chief Product Officer at Lacework, which provides cloud security solutions.

"AWS provides an amazing service that helps any innovative business accelerate the deployment of new applications. That said, properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources. It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored."

In the last few months alone, we've written about the unsecured S3 bucket that exposed passport scans after FedEx acquired a smaller company; the third-party vendor S3 bucket that leaked details on Capitol One; and the mis-configured S3 bucket that exposed 40,000 plain text passwords of Accenture clients. 

So what is going on here, and how can we fix cloud security?

The TeenSafe case is an example of what's gone wrong—and what can go right if cloud users and providers will just do a little bit more.

What cloud users must do to improve security

Says Mukul Kumar, "Under the shared responsibility model, TeenSafe has the responsibility to protect the data, but their IT team obviously didn’t uphold their part of the (shared responsibility) bargain."

Despite the company's talk about security and encryption (it may well be encrypting some data), the passwords, names, and Apple IDs were in plain text and unsecured in the cloud. 

teen-safe-encryptionSo TeenSafe certainly could have done more. And somehow we need to reach companies without much security experience so they know how to do more.

What cloud providers must do to increase security

Cloud companies could provide a key part of the solution. If we're sharing responsibility, perhaps cloud providers should help protect users from themselves.

Says CISO Kumar: "The cloud providers probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise. When spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bicycle, the providers need to implement process checks that take into account little or no cloud knowledge."

That would be helpful in a world where signing up for cloud service is as easy as 1-2-3. It really is that easy, as you see here:

aws-signup-easy-fast

Comments