From Azure to AWS – cloud adoption is booming, which has security professionals trying to find the right formula for securing the cloud. Now, a new data breach at OneLogin, whose business is providing secure access to multiple cloud applications, has reaffirmed the need for cloud security.
How did the breach happen? It’s unknown exactly how they obtained them, but hackers accessed AWS keys and used them to enter the vendor’s environment for hours before abnormally high activity in the OneLogin database alerted the internal team that something was awry. And once aware, it took the team only minutes to shut down the AWS instances and retire the AWS keys to prevent further access. But, of course, there was already a fair amount of damage done.
The cybercriminal responsible was able to access databases with information about users, apps, and various types of keys. That data is encrypted, but there is high suspicion that it may have been decrypted by the threat actors. As McAfee CTO Steve Grobman has said, encryption is, at the end of the day, just math—math that hackers can easily figure out with enough compute power.
The reason OneLogin was attacked was to steal these credentials, which is part of a larger trend that our McAfee Labs 2017 Threats Predictions report anticipated. Passwords, and the people who create and use them, will remain the biggest weakness throughout most technologies for the foreseeable future. Cloud authentication is no different and actually represents a much bigger payoff for thieves. The proliferation of cloud apps and services, and human fondness for using the same or similar password for each cloud service, exacerbates the problem.
This breach may, in part, also stem from insufficient database and cloud security procedures, but it brings up a larger issue regarding identity and password management tools. Users place much trust and faith in the services where they store their passwords to their work and personal accounts. Breaches require them to go through a series frustrating steps to secure those accounts, including generation of new API credentials and OAuth tokens. A OneLogin customer who spoke with Ars Technica said they were having to “rebuild the whole authentication security system… OUCH!”
The attack vectors in this breach also require companies to ask some critical questions. For example, should they make a policy to retire AWS keys after 30, 60, or 90 days? How is an attacker able to access decryption keys for such an important set of data stored in a database? Organizations need to rethink how and where they store data, as well as encryption keys.