Lessons Learned from the Capital One Hack: Compliance in the Cloud

When federal prosecutors charged a Seattle woman with stealing data from more than 100 million credit applications this week, the security of the Capital One AWS environment became the immediate focus of the media landscape.

According to the court filing and various media reports, the attack vector was orchestrated from a compromised server due to a misconfigured web application firewall (WAF). Ephemeral AWS credentials were extracted from the instance role and used to raid data from S3 buckets. The attack took place on April 21st, and on July 17th an email to Capital One outlining the attack sparked an investigation.

Several things immediately stand out about this attack. Most notably:

  • The weakness identified by Capital One and throughout media was "a misconfigured firewall." But even if that was the point of entry, a single firewall misconfiguration should not cause a security breach this vast; as failsafe security measures should catch intruders. The lack of redundancy in security indicates other systemic security issues.
  • As Capital One acknowledged, the web application firewall (WAF) role in question never made API calls, like “List Buckets” or “Sync”, until this criminal made those calls. The WAF role’s permissions should have been reviewed at creation time to make sure they fit the business purpose.
  • Nothing in the system flagged the WAF role’s behavioral change, though such warnings would’ve been possible. When a credential set suddenly begins behaving atypically – such as scanning and looting S3 buckets – it’s wholly possible to flag the behavior for review. The API-driven nature of public cloud allows you to be reactive in real-time; Amazon Macie could have caught this abnormal behavior and alerted Capital One immediately.
  • A broader security architecture review should have highlighted that extra S3 permissions and eliminated them from the role, or limited them to a WAF-logging specific bucket if truly needed.  New automation tools exist to help meet this level of compliance. Why weren’t S3 buckets filled with sensitive information on restricted access for known IP ranges only, when such a setting can be managed and continuously monitored with automated compliance tools?
  • Permissions should be regularly checked to see if they’re being used. If not, those extra permissions should be removed. Netflix recently released an open source tool to automate this effort, called RepoKid.
  • As a best practice, logging must always be enabled across all public cloud accounts, and those logs should be sent to a protected and dedicated logging account.
  • It’s imperative to have an Incident Response plan, so you know how to react to compromises before they happen.

On the last two points, Capital One was actually pretty successful. Because Capital One was proactively logging everything, the criminal’s actions were logged and available for immediate review. You can’t protect what you can’t see, and at minimum Capital One was able to look retroactively and see the exact steps taken to breach their security, allowing them to be rapid and accountable in their response, which is commendable.

In the end, the lesson from the Capital One breach should be a lesson of caution that the public cloud, while far more secure than on-premise data centers, is far from a security silver bullet. It’s imperative that the DevOps teams building your public cloud are paying attention.


What We Learned at 2018 re:Invent

Candid is always excited to meet other cloud enthusiasts and our customers; at this year’s AWS re:Invent in Las Vegas we got both! During the event, our team had the perfect opportunity to meet users and gain an even better understanding of how we can help them navigate their business in the cloud.

Our team of architects, engineers, project, and program managers help businesses with their journey to the cloud across a myriad of platforms. This extensive experience allows us to develop the best-fit technology solutions for both their immediate and long-term needs.

Candid’s Chief Architect, Aaron Bawcom and our client, Chris Lofton, SVP, Chief Architect at SunTrust, took to the demo theatre stage to present a session entitled, “Re-architecting a Consumer Banking Application for Better Scale and Reliability.” The presentation shared with attendees how we successfully re-architected a company’s software to provide massive scalability, bank-level security, fast performance, frequent deployments, and 100% uptime—it was such a hit, we had to do it twice.

During the last few years, we’ve seen an incredible shift in the amount of companies undertaking the cloud journey and we’re here to give them the tools, methodology, and best practices to help them achieve the toughest challenges they face.

At our booth, the real hype during re:Invent revolved around our Enterprise Cloud Automation Platform, Volker. Which provides best-in-class services to complement the cloud platform of any organization with strong capabilities to standardize and ensure compliance of environments in a modern DevOps organization.

AWS re:Invent never ceases to provide compelling keynotes, conversations, and sessions and this year was no different. Enterprise adoption of the cloud opportunity is only getting started and they need all the help they can get, including prescriptive advice on how to successfully navigate this limitless environment. We are excited to share how Volker compliance paired with reusable architectural patterns is prepared to be that guide.

Enterprise Digital Transformation is the leading factor in driving greater public cloud engagement and adoption. With an increasing demand for managed services, the AWS Partner Network currently has 115 certified MSP partners and their practices are only growing. The event featured keynote announcements, training, certification opportunities, access to an outstanding amount of resources, partner expos, and so much more.

Our takeaways from AWS re:Invent

We didn’t spend the entire time attending keynotes or talking about our solutions at the booth though—our key players spent their days taking part in breakout sessions and learning new and innovative ways AWS plans to propel their capabilities to the next level. A few interesting announcements that stood out to us came from news surrounding Amazon Textract, Forecast, Managed Blockchain, and Quantum Ledger Database.

- TEXTRACT

AWS announced the launch of the highly anticipated, Textract which enables you to easily extract text and data from virtually any document. Currently, companies manually enter the data or use customized optical character recognition solutions to process their documents. This strategy is prone to errors and consumes valuable time and resources. Textract uses machine learning to simplify document processing by enabling fast and accurate text and data extraction so it’s possible to process millions of documents within a fraction of that time.

Candid plans to utilize this powerful tool to take the traditional data lake and restructure it into a cloud-based model that pushes large-scale data processing to the companies that need it. The Intelligent Data Lake demonstrates that you don’t need an army of technical resources to manage your data; instead, we configure a process that ingests, stores, organizes, tailors and feeds systems access data quicker and more securely than ever before.

- AMAZON FORECAST

Amazon Forecast is a pre-built machine learning tool that allows developers to generate predictions based on time-series data much easier than before. Amazon, of course, has built many prediction models based on its own needs and is now essentially selling them as a product.

With these prediction models, Candid can better serve companies through our Intelligent Data Lake by enabling large-scale data processing (hundreds of millions of records), predictable, tuned performance and cost while handling the various types of data sources (databases, flat files, batch, or stream processing) and push tailored data to clients that need it.

Essentially, we’re going to hook up some much needed indoor plumbing to the data lake, because there’s no need to go retrieve water from the lake when you can have it delivered from your sink.

- BLOCKCHAIN

Amazon Managed Blockchain

The new AWS offering is affordable for customers to create and manage secure and decentralized transaction processing that can scale to support thousands of applications running millions of transactions. These blockchain services are supported by popular blockchain frameworks like Hyperledger and Ethereum protocols. Flexibility and security are important but these services also provide a robust set of APIs for users to integrate any kind of adjustments to their ledger database as well.

Amazon Quantum Ledger Database

AWS QLDB provides a transparent and cryptographically-verifiable ledger for software that requires a central, trusted authority for thorough and permanent record transaction history, like HR, finance, insurance, and supply chain. The advent of this database is for when DynamoDB isn’t the best fit.

Candid knows that automation is the driving force behind innovative software development. Our Enterprise Cloud Automation Platform, Volker, has the ability to integrate these two tools so that managed services can be configured to maintain a scalable blockchain network with just a few clicks. Our fully fledged services will introduce companies to simple, secure, automated, and fully auditable transactions that will propel them toward the future of software development.

Final Thoughts

Throughout this year’s event, we learned how our engineers could further help our clients through value-packed conferences, workshops and discussions all focused on AWS’ releases that are expanding upon an already impressive portfolio of services.

AWS is making it easier for companies to build and manage their applications in the cloud through cost control, managing complexity, serverless, development, large-scale transition, and more data options than ever before. A major theme being to bridge the cloud gap and moving enterprises’ software to the cloud.

Our tech experts are eager to apply everything they learned at this year’s re:Invent and get the gears churning on how to make our user experience even better. We’re already looking toward next year for the opportunity to connect with and help our engineering friends by making their lives a little easier when it comes to navigating the ins and outs of AWS.


Candid Shares Cloud Best Practices

Imagine deciding to build your dream house on a hill overlooking the city. You’ve scoped out the views, picked the most primo lot and bought the land. Now what if you answered "pour concrete"? I would predict a long and painful journey. Most of us wouldn’t dream of skipping the steps where we seek out expert opinions, discuss our requirements with our significant other, hire an architect for the house’s design, and plan the building’s construction with our contractor.

Yet every year, major organizations make serious – and costly – mistakes when planning their move to the cloud. In fact, up to 57 percent of enterprises report stalled or failed cloud migrations. Candid regularly works with organizations to strategize and guide their journey to the cloud and are launching our blog to share our insights, innovation and best practice. We hope that this blog will help even more people navigate cloud migration and tackle their toughest tech challenges.

Now let’s dive into the journey to the cloud.

PLANNING YOUR JOURNEY TO THE CLOUD

Why do so many cloud migrations stall or fail? A study points to two reasons for cloud migration failures.

Of the organizations surveyed:

  • 55% stated that they lacked a clearly defined business case for cloud migration
  • 44% admitted to insufficient planning

Public cloud vendors provide an amazing array of tools and services to help with cloud migrations, but you still have to plan.
At Candid, we’ve helped many large, forward-thinking companies navigate this impasse and successfully migrate to the cloud. What we’ve learned is that it is a journey that involves careful and detailed planning and execution from both a business and technical perspective.
Giving you the know-how to effectively plan is what Candid is all about. Based on years of experience, we’ve created and refined our framework, Candid Cloud Factory. This integration framework is advanced, automated and agile. It guides organizations in:

  • Defining the business problem to be solved and the value proposition of using the public cloud.
  • Understanding the current business and technical conditions, evaluating options and defining the technology path forward.
  • Implementing the organizational, process, and technical components required for the public cloud solution.
  • Establishing new public cloud architectures and efficiently and securely deploying applications, services and infrastructure.
  • Providing hypercare through steady state support for the new cloud based applications.
  • Innovating and realizing the business value enabled by the newly implemented public cloud platform.

What Can You Expect from the Candid Blog?

In future posts, we’ll share more about the stages in the cloud journey as well as stories from the trenches on innovative solutions to complex tech challenges. We’ll also share details on our software tool, Volker, which which helps automate factory-scale cloud migrations and ensure regulatory compliance both pre- and post-deployment.

Bookmark our blog and follow us on Facebook, Twitter and LinkedIn so you don’t miss any future posts. Use our blog as a resource for valuable content that guides your technology approach, including:

  • Innovative uses of public cloud technology
  • Strategies for optimizing your cloud computing spend
  • Customer success stories
  • Methods that lead to change transformation
  • Expert tips on making the most of your technology investments