Americas, Breach, Content

U.S. Pentagon Government Files Exposed On Amazon Web Services (AWS) Cloud

Sensitive U.S. Pentagon files were left exposed on Amazon Web Services -- but don't blame the cloud services provider. Instead, the culprit apparently involves an engineer Booz Allen Hamilton. The alleged episode raises fresh questions about U.S. cybersecurity policies, cloud-first initiatives and IT outsourcing.

According to Gizmodo:

"A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance."

The National Geospatial-Intelligence Agency (NGA) confirmed the leak to Gizmodo, emphasized that no classified information had been disclosed, and said corrective action had been taken.

President Trump and Cybersecurity

The security lapse surfaces only a few weeks after President Trump signed an executive order to strengthen cybersecurity. For its part, Amazon offers AWS GovCloud -- an isolated AWS region designed to host sensitive data and regulated workloads.

Dome9 CEO Zohar Alon
Zohar Alon

Still, people and processes -- rather than technology -- are often the stumbling blocks for proper cloud security. Noted Zohar Alon, Co-Founder and CEO of Dome9, a cloud infrastructure security provider:

"AWS S3 is a very popular cloud based object storage service, and a staple of most AWS environments from the earliest days of the cloud service. Yet security of S3 buckets to prevent accidental data exposure is often poorly understood and badly implemented by their users, even someone as technically savvy as an engineer with one of the world’s leading defense contractors. This type of oversight exemplifies the one-strike law for security in the public cloud. A single vulnerability, or security, or process lapse is all it takes to expose highly sensitive private data to the world and get data-jacked. Even with strict security controls in place, breaches such as this still occur due to very basic process failures, leaving extraordinarily sensitive information exposed to the world."

It's a safe bet Booz Allen Hamilton officials are likely eating humble pie somewhere in Washington, D.C., tonight.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.