According to vpnMentor, Microsoft misconfigured its own Microsoft Azure Blob (cloud) storage buckets, which housed third-party data, in what appears to be a self-inflicted wound. In consequence, the organization scored its own goal in favor of those attempting to steal intellectual property.
As its researchers discovered, then alerted Microsoft about the discovered misconfiguration, vpnMentor published its timeline and interaction (or lack thereof) with the company. Several organizations whose data was contained in the data bucket were pitching Microsoft Dynamics in the hopes of forming a relationship with the company.
According to the paper, over 100 "pitch boards" and source codes from 10 to 15 companies were revealed. Companies entrusted their ideas and intellectual property to Microsoft as part of their attempt to become a part of the Microsoft Dynamics CRM/ERP ecosystem, and the misconfiguration unwittingly put their ideas and intellectual property at risk.
The shared responsibility model
"We may assume that the shared responsibility model places the burden of properly securing data assets in the hands of the user," the vpnMentor research team says of who bears responsibility for such misconfigurations. Different parties in user organizations can have varying short-term goals and levels of awareness of security concepts. This could result in confidential data being revealed. This can have disastrous effects regardless of the underlying cloud stack."
CISOs should follow the principle of "shared responsibility," which states that the cloud provider is responsible for cloud protection, while the customer is responsible for cloud security. CISOs should emphasize this point to everyone who might be storing data in a cloud storage system that is not under their jurisdiction.
We see cloud storage owners struggle to keep their storage buckets private daily. They often ignore the various layers of access and authentication processes and procedures in place by cloud providers to protect their data. When more of our data moves to the cloud, whether Azure Blob or AWS S3, configuring the environment to limit access to those that don't need to know is becoming standard practice.
The Microsoft error affected 63 gigabytes of data (or 3,800 files) that were generated in 2016. Although this might seem insignificant in 2021, it is the responsibility of the owner of the knowledge to decide its current value.
"In this case, it's difficult to track down who is really to blame," says Michael Quinn, CEO of ActiveCypher (and a former Microsoft executive). Companies face an uphill fight in their attempt to build a stable data supply chain, with external consultants, suppliers, and expanding workforces having access to large swaths of critical data. In recent months, the existing network/ecosystem has been revealed as porous and vulnerable to compromise. However, losing sight of the target (data protection) and doubling down on efforts has only resulted in the same results." He goes on to say that the "real solution" is to secure data at the file level, regardless of where it was created or whether it is at rest, in transit, or external. "[This] will cancel the value of data that has been compromised, even though it has been exfiltrated."