Every week there seems to be a continuous stream of news that continues to paint an unfortunate picture when it comes to cloud security. In fact, we regularly see evidence that organizations are taking the same security practices — good or bad — from their traditional systems and transitioning them to their public clouds.
Last week it was a report from mobile app management vendor Appthority, which shows that it’s not just poorly coded mobile apps that pose the challenge — but poorly configured and secured backend databases. This was one of the primary reasons behind the vendor’s discovery that terabytes of data, and hundreds of millions of personal records were exposed and created major security risks. Appthority found that poorly configured cloud platforms running Elasticsearch, Redis, MongoDB, MySQL and others created the security vulnerabilities.
The company dubbed the flaw HospitalGown. “HospitalGown is a vulnerability to data exposure caused, not by any code in the app, but by the app developers’ failure to properly secure the backend servers with which the app communicates,” wrote Seth Hardy in this blog.
The backend data exposure risk is significant:
- Appthority found 1,000 affected apps on enterprise mobile devices connected to over 21,000 open Elasticsearch servers, revealing almost 43 TB of exposed data;
- A subset of just 4 percent of the affected apps revealed that as much as 163.53GB of data, or approximately 280 million records, have been exposed;
- Data being leaked contains Personally Identifiable Information (PII) including: passwords, location, travel and payment details, corporate profile data (including employees’ VPN PIN reset tokens, emails, phone numbers), and retail customer data.
“Every new mobile app that uses a back-end platform for data storage or analysis is a potential source of risk. Enterprises relying on software developers to properly code and configure the backend connections are exposed,” the report said.
While it’s broadly accurate that public cloud service providers provide a foundations built on effective security, organizations can’t rest on that foundation and expect their systems and data to be secure. They must pick up where the cloud providers let go and secure their own systems, configurations, apps and data.