June 26, 2017

Protecting data on AWS – What does it really mean?

Vibhuti Sinha

Chief Product Officer, Workforce Identity & Intelligence

June 19th 2017 – Sensitive personal details relating to almost 200 million US citizens have been accidentally exposed by a marketing firm contracted by the Republican National Committee.

June 2nd, 2017 – 60,000 military documents found on AWS, along with information from an employee of Defense contractor Booz Allen. The files contained encrypted passwords connected to a US Military project at the US National Geospatial-Intelligence Agency (NGA).

News of data leaks on AWS are on the rise.

Despite of significant efforts from Amazon Web Services in creating awareness of shared responsibility model, providing security controls and trainings the leaks continue and the damage with each leak just grows in leaps and bounds

This blog post aims to explain the possible avenues, access policies and service misconfigurations leading to data exposure on Amazon Web Services.

Before we start solving the data exposure problem, lets understand the problem itself.

“Given one hour to save the world, I would spend 55 minutes defining the problem and 5 minutes finding the solution.” ~ Albert Einstein

Table below summarizes the various AWS services which can be used for storing data in some form or the other and also describes the various misconfigurations or access methodologies which leads to data exposure/leaks.

Preventing data leaks or reducing data exposure requires to have comprehensive security controls around all these services.

Understanding the problem statement as a whole, helped team Saviynt to define a comprehensive data protection framework for AWS, enabling the platform to protect data exposure from all avenues and possibilities on AWS.

“There is no magic wand that can resolve our problems. The solution rests with our work and discipline” ~ Jose Eduardo dos Santos

Saviynt for AWS is helping the organizations to protect their data on AWS with the following

Continuous monitoring on data leakage points with actionable controls – Out of box risk signatures continuously monitor for data leakage points across the entire AWS ecosystem providing actionable controls for remediation

Continuous monitoring on external sharing of datasets with actionable controls – Out of box risk signatures continuously monitor for external sharing of datasets/snapshots, providing actionable controls for remediation

Continuous Enforcement of baseline policies. Achieving Compliance is hard. Staying compliant is harder. Driving principle of Saviynt’s near real-time preventive framework. This enables organizations to determine in near real-time of insecure events, for ex. unencrypted database/object creation and also take corrective action against the same (for ex. alerting, terminating the same), thereby continuously enforcing security policies and stay compliant

Saviynt’s integration with AWS services (viz. Config – Learn More) detects insecure events in near real time. With its rules engine, it further enables organizations to enforce their security policies by implementing corrective actions against such ‘insecure’ events in near real time.

Privileged Access Management(PAM) with continuous monitoring and just in time access elevation – Saviynt’s PAM solution provides visibility on identities having high privileged access on AWS services including data entities. It also provides workflow enabled duration based access provisioning for privileged access on AWS services. Lastly, monitoring privileged access usage is critical to determine anomalies and suspicious activities. Learn more about Saviynt’s Privileged Access Management solution.

Hope this blog meets the objective of explaining the problem statement of data protection on AWS and Saviynt’s solution to prevent data exposure/leaks.

To learn more about Saviynt solution for AWS, visit: