MongoDB and AWS Implement New Security Features to Prevent Unauthorized Data Access
Amazon has incorporated new safeguards into its cloud servers so that users won’t misconfigure their S3 buckets leaving their stored data unsecured. This action is an extra safety measure that Amazon put in place recently to avoid user errors that can lead to data breaches. This is particularly important when Amazon signs agreements with business associates with HIPAA-covered entities. Amazon’s HIPAA-compliant cloud services can provide secure data storage, but if users make configuration mistakes, data breaches can occur.
The fact is many organizations, including those in the healthcare industry, have accidentally left their S3 data unsecured this year. Two particular incidents involve Accenture and Patient Home Monitoring. Accenture stored 137 GB of data that included 40,000 plain text passwords in four unsecured cloud-based storage servers. Patient Home Monitoring, on the other hand, stored 150,000 patient’s PHI that was exposed because of AWS S3 misconfiguration.
The new safeguards implemented by Amazon seek to address the issue of multiple breaches. When authentication controls of Amazon S3 buckets are not active, a bright orange button will now appear on the console to point out that the S3 bucket is accessible without needing authentication. Users can easily change the privacy settings of every S3 bucket listed on the console. Users will also receive daily and weekly reports showing which buckets are secure and which are not.
Many organizations have also experienced data breaches with the use of MongoDB databases this year. About 27,000 organizations worldwide had their databases hacked and data stolen or databases deleted. Then, hackers are demanding payments to restore stolen data.
MongoDB actually has the required security features to stop unauthorized access of databases. Unfortunately, many users did not know that the default setting was not secure and that safeguards should be activated.
To address the issue of unauthorized access, MongoDB decided to implement a more secure default setting for the new version of the database platform. The new MongoDB 3.6 is set to go live next month. Localhost is enabled by default, so users need to manually switch on the feature to make the databases accessible online. The new secure default setting will make it unlikely to have important data exposed online.