The news that TeenSafe, a service that allows anxious parents to monitor the use of their children's smartphones, has been leaking data of adults and teens alike, seems like a typical data-breach case.
However, the story also contains some vital lessons for enterprise security pros and those businesses that are increasingly reliant on moving large amounts of data to the cloud.
The issue started when security researcher Robert Wiggins noticed that the TeenSafe service had at least two leaky servers. The servers were hosted on Amazon Web Services and were left unprotected and accessible to anyone without a password, according to ZDNet, which first reported the issue on May 20.
The TeenSafe service allows parents to monitor phone calls, location of the devices, as well as web browsing history -- itself a wealth of personal information.
The database that ZDNet discovered did contain the parent's email address, the corresponding child's Apple ID and email, the device name, as well as plaintext passwords. Since two-factor authentication needs to be disabled for the service to work, someone from the outside would have no trouble matching the emails, IDs and passwords.
This in itself is pretty bad security, but it also seems that TeenSafe did not factor in good, cloud computing practices either and this is where the lessons lie for others entrusting their infrastructure, applications or data to AWS, Microsoft Azure or one of the other big players.
In general, the trend of most service level agreements (SLAs) is that the cloud provider is responsible for the security and integrity of the infrastructure, whether that's infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS), but the customer -- in this case TeenSafe -- is responsible for the data from its customers. (See As Public Cloud Use Increases, So Does Data Theft.)
In an email, Chris Morales, head of security analytics at San Jose-based Vectra, noted the shared responsibility of security when it comes to cloud, and that TeenSafe clearly neglected its end of the bargain.
He notes that it's a poor security practice to store a parent's email address that is associated with their child's Apple ID email address, along with the child's device name, unique identifier and plaintext passwords for the child's Apple ID in the cloud without proper security controls.
"Cloud is a shared responsibility and as a provider of a cloud service, TeenSafe is responsible for securing their customer's information in the cloud," Morales writes. "Even if this server was on-premises at TeenSafe within their perimeter security controls, this type of data should be secured with encryption and administrative access controls."
Sanjay Kalra, the co-founder and chief product officer at Lacework, which offers cloud security solutions, noted in an email to Security Now that AWS offers a range of good products, but that customers, in their eagerness to move to the cloud and spin up resources as needed, many times don't have the security skills in place to deal with a cloud-centric world.
"Properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources," Kalra wrote. "It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."
Despite the current agreement between provider and customer, Mukul Kumar, the CISO and vice president of Cyber Practice at Cavirin, notes that AWS, Microsoft and others are working to build new security tools for companies that lack these types of skills and expertise. (See AWS Adds Security Management to Growing Portfolio.)
"The cloud providers probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise," Kumar wrote in an email. "When spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge."