The Capital One data breach has been big news and for good reason. The exposure of over 100 million personal data records is a big deal—especially when it’s a bank, and especially when it’s a bank like Capital One that has leaned into the cloud so heavily. It is too easy for the skeptics and naysayers to blame the cloud; which makes it even more critical to truly understand what happened.
With serverless at the top of our mind, we set out to recreate this hack in serverless frameworks. Our head of security research, an ethical hacker, Tal Melamed, managed to successfully recreate the Capital One breach in serverless but took it one step further by demonstrating just how to block it.
There is a lot to be learned from this data breach, and it might be easy to imagine that this breach is a result of the choice to move to the public cloud. But nothing could be farther from the truth. The fact is, Capital One has one of the most extensive security practices out there, and that leads us to lesson number one:
Lesson 1: This happened despite the cloud, not because of it.
This looks like a security misconfiguration issue at its core. The alleged hacker got access to some keys that let her use a role that could access data that she wasn’t supposed to get access to.
This is not a cloud-specific problem. It’s an application and data security problem. It’s not that different than many other data breaches we’ve seen over the past few years, and it’s not as uncommon as you might think.
Lesson 2: Configuration will make or break you
Applications are more complex. That’s true on-prem and it’s especially true in the cloud. Security, however, likes simplicity. Moving parts are not your friend when it comes to security. Getting posture right will go much farther in the fine-grained modern cloud world, but getting it wrong can be much more painful than in the past.
Lesson 3: Automate, Automate, Automate
You should have tools and processes in place to automate at least 95% of your guardrails and hardening. If you don’t, you won’t find enough hours in a day to focus on what’s leftover. Luckily, there is an increasing number of tools (like Protego) available that can help.
Applying this back to Capital One, obviously, if you were in charge of their cloud security, you’ve had better weeks. But, you are probably still quite proud of what you have been able to accomplish, and you should be. You probably have a clear path ahead of you to make sure these kinds of incidents are few and far between, because you have leaned all the way in on what the cloud gives you, you’re laser-focused on getting configuration right, and you’re lining up all the technology you need to automate everything you can.
In summary, to ensure your organization is prepared it is important to view the entire security posture of your systems- whether they are hosted in the cloud or on-prem. Get granular to make sure no one or system within the organization or outside has more access than what is needed, and safeguard your keys. Finally, make life easier, and this does not mean take shortcuts, but rather, automate! The more you can streamline your process and automate your security configurations, the more control, and visibility you will have as a result.