Today, more and more applications are migrating to virtualized environments and becoming services in the cloud. For example, services that enable consumers to buy bread or coffee from their cell phone anywhere, anytime. Or a service which orders a taxi on demand then dynamically adjusts the route of the self-driving car based on real time traffic data. The power of Cloud is making everyone’s life much easier. But, like the moon has a dark side, so does the cloud. Cloud applications are actually facing new and more frequent security challenges, especially for run-time security. Today, one of the famous chains of bakery restaurants, Panera Bread admitted to having trouble with their online web service. Security researcher Dylan Houlihan reported a series data breaches which occurred on Panerabread.com that indicates there could be potentially millions of their customers’ private data records leaked. The issue was reported to Panera in August 2017, but unfortunately it was kept quiet, and data was still leaking as of this April. And even worse, there is no clear evidence to show how much data was leaked and to where by what attackers.
The leaked customer records includes user names, email addresses, physical addresses, birthdays and the last four digits of their credit card number. It was reported that the customer data was in plain text format which could be accessed through a normal web site URL or login. All the attacker had to do was try different user IDs to retrieve their private data. There was no need to do port scanning, vulnerability exploits or application attacks in this case. Normal security practices like scanning, hardening, digital signing, firewalling and encryption would have been useless to prevent this breach. This data breach would bypass multiple checks in the full kill chain of an attack, which would cause a lot of static security solutions or point security solution to be unable to detect any suspicious activity.
This is not the first time this type of data breach has occurred, nor will it be the last. After years of evolution and improvement, our infrastructure security is stronger, endpoint security is better, network security is deeper, and information/event analysis is smarter. But there’s no amount of security to protect you if, at the top layer, access to cloud applications and private data is not secured at all. Unfortunately this private data is the most important company asset and in this case, no attempt was made to secure it.
Despite this fact, my company NeuVector will continue to try to address this dark side through technology innovations to protect cloud applications. We start with the first and only security mesh solution, which was invented to cover attacks on applications and data in today’s complicated cloud run-time environment. In the future we may even be able to prevent the types of breaches like at Panera Bread which come from misconfigurations, oversight, mistakes, or even plain stupidity.