An unprotected server hosted in the cloud and managed by a third party vendor on behalf of Verizon, has left 6 million customer records exposed, once again highlighting the need for implementing cloud access controls when transitioning to cloud hosting services such as Amazon, Box, DropBox and others.
The latest headline involves a Verizon customer database containing customer details left exposed by the telecom giant’s third party vendor, NICE Systems, a provider of call center insights software. Informed of the oversight by security firm, UpGuard, Verizon reports it was able to confirm that no data exfiltration has taken place, and that no one apart from the security firm has viewed it.
The sensitivity of the Verizon database arises from confidential customer IDs and PINs, which could have been used by fraudsters to pose as Verizon customers for various activities, such as diverting calls and text messages to phones under their control by placing call forwarding requests, potentially bypassing SMS-based two-factor authentication, which was degraded by US-based NIST last year precisely because of this kind of potential fraud scenario.
But to prevent this kind of security lapse, no less critical are the cloud access control measures implemented to ensure that only authorized users gain access to confidential information. To that end, two types of user access controls should be applied in any enterprise IT ecosystem:
- Cloud single sign-on – Enterprises who leverage the cloud can centrally control access to all their myriad cloud-based services using identity federation protocols such as SAML and OpenID Connect. Cloud single sign-on and identity-as-a-service solutions utilize such protocols to extend controls such as single sign-on and multi-factor authentication to cloud-based apps such as Office 365, AWS and Salesforce.
- Partner access control – In Verizon’s case, NICE owned the Amazon S3 server, to which access was not secured. However, third party access by consultants and business partners to proprietary and confidential information is a growing concern (recall the Target breach). As with employees, cloud access controls can be easily applied to third party users, serving as a first line of defense in protecting shared portals and web services against phishing attacks, brute force attacks and generic malware.
Do you already manage cloud access centrally for employees and partners? If not, check out the benefits of cloud identity management, watch How Identity and Access Management Works in the Cloud or get started with Forrester’s Build your IAM Strategy – Playbook.