The World Economic Forum has released its Global Cybersecurity Outlook 2023 report, and it highlights how things have changed when it comes to data security and cybersecurity in general. It cites the inevitability of more cyber laws and regulations in view of more aggressive and sophisticated attacks, the need to regulate third parties that process data, and the influence of cloud service use on enterprise security.
Threat actors are relentless, and they ceaselessly come up with new ways to defeat existing security tools. They persistently find and exploit vulnerabilities in IT systems. It is understandable why governments feel the need to step in to address the security challenges.
One area where organizations continue to struggle is the security of their IT infrastructure, networks, and assets with respect to legacy systems. They know they must always update their security including the protection of their legacy assets, but they find it hard to do it because of poor visibility.
“Many organizations are undertaking large digital transformation projects. Adding emerging technology to legacy IT increases the complexity of organizations’ digital environments and therefore their cybersecurity risk,” the WEF report writes.
S3 Buckets and the Legacy Issue
A good demonstration of how difficult it is to update security with legacy components is the handling of cloud storage with Amazon S3 buckets. S3 stands for Simple Storage Service. It is an Amazon Web Services (AWS) service that enables object storage through a web service interface. It makes it possible to store any type of object including app data, disaster recovery data backups, archives, and data lakes.
This technology has been in use since 2006 and has been updated through the years. The issue with Amazon S3 is that it was publicly available by default for some years after it was launched. It was eventually made non-public after Amazon realized that its previous default setting posed a security threat. Many other security advancements have also been added to this service over the years.
Here lies the rub. Early adopters of Amazon S3 buckets may have not applied the security updates, which means they may have S3 buckets that are publicly exposed. It’s also likely that they have not obtained other updates like the Amazon CloudFront Origin Access Control.
Conventionally, legacy S3 buckets are updated manually. This is a tedious and challenging task, especially with the hybrid and complex nature of the IT infrastructure of most organizations at present. Many enterprises do not have comprehensive cloud visibility, which makes it hard to roll out security updates fully and efficiently. There are also cases when the application of security updates leads to incompatibilities and dysfunctions in the system.
S3 bucket security may be relatively easy for those who have started using Amazon S3 at a time when most of the crucial security updates have already been in place. For those who have been using S3 buckets before Amazon added security enhancements, it is an entirely different situation.
Legacy Tech Problem: More Common Than Perceived
Many tend to believe that the problem with legacy tech is solely or mostly about hardware and on-premise software. There’s a misconception that cloud applications and services are unlikely to become legacy because they are automatically updated and maintained. Ironically, the cloud-based Amazon S3 service itself has the potential to create a “legacy” problem.
According to independent research and advisory firm Talent Tech Labs, around 31% of the technologies used in organizations are considered legacy systems. These potentially cause undue exposure to various cyber threats. They also reportedly cost U.S. businesses up to $1.8 trillion annually because of poor productivity and technical problems that disrupt operations.
As mentioned, some organizations may have failed to obtain security updates for their S3 buckets. They unwittingly end up using a legacy version because they are unable to comprehensively account for all of their IT assets and resources. They may have unknown S3 buckets that contain corporate or sensitive data. Additionally, it is possible to have data visibility gaps, security misconfigurations, and security siloing.
Data visibility gaps are usually observed when using S3 buckets to store unstructured data. These are data that may not be regularly monitored by organizations, hence they are neglected and forgotten along with the buckets they are stored in. Security misconfigurations commonly happen because of the evolving nature of S3 bucket security. Some organizations are unable to keep up with the latest secure configurations. Meanwhile, security siloing exists because of the absence of a security solution that works across multi-cloud environments. The security solution provided by Amazon for S3 buckets, for example, only works for AWS S3, not for other similar cloud services.
Addressing Data Security Complexity
The key to resolving the vulnerabilities or data security issues created by the mix-up of legacy and modern tech is visibility. It is crucial for organizations to have a comprehensive accounting of all their IT infrastructure, networks, and assets. Enterprises must know what components and connections exist in their network. Otherwise, it would be difficult to spot security weaknesses and exploitable vulnerabilities. As such, resolving them in a timely manner would be a tall order.
It helps to have a cloud security solution or platform that efficiently handles the security of cloud environments. A platform that makes it easy to identify S3 buckets and examine their security configurations facilitates effective S3 bucket security, which in turn contributes to better data security. This platform is not necessarily devoted to S3 bucket data protection. It can be a comprehensive security posture management platform that includes tools for greater security visibility.
To emphasize, data security issues emerge when using legacy technologies because of the lack of visibility. The logical solution is to enable broad visibility and facilitate the prompt application of the necessary remedies or mitigation measures. There are already existing cybersecurity platforms capable of doing all of these. Organizations just need to look for the available options and compare them to choose the most effective option.