Tesla hack demonstrates need to prioritize data security
The words "data security" made news once again last month when researchers revealed that Tesla’s AWS cloud systems were compromised for the purpose of cryptojacking. Cryptojacking, which is defined as the secret use of a computing device to mine cryptocurrency, has risen in popularity over the past few months. This is primarily due to 1) the surge in cryptocurrency value and 2) the discovery of clever mechanisms hackers can use to mine coins while going unnoticed.
According to RedLock researchers, the hackers infiltrated Tesla’s Kubernetes console, which is an open-source platform used for managing containerized workloads and services. They were able to access the console because it was not password protected. Within the Kubernetes pod, were Tesla AWS environment credentials which contained an Amazon S3 bucket that had sensitive data such as telemetry, mapping and vehicle servicing data.
First, I want to emphasize that this type of hack can happen to any organization. Securing containers and infrastructures such as AWS S3, is not an easy task. Tesla, like many other big organizations, should be applauded for recognizing this difficulty and having a bug bounty program where they award researchers in improving the security of their products and service offerings.
The cryptojacking headline misdirects from the real concern
While the topline story is about cryptojacking, which only harms Tesla, the bigger story is the data exposure that came with Tesla losing control of their cloud infrastructure. In this instance, Tesla lost their credentials due to hackers compromising sensitive information living inside a container. This is a common attack vector because most containers run as Privilege Users. This means, that without additional data security in place, a compromised container is equivalent to a compromised Privilege User -- very dangerous.
Container technology is being put in production at an astounding rate. In fact, 451 Research predicts that containers will have a compounded annual growth rate of 40 percent, reaching $2.7 billion by 2020. While the growth is substantial and encouraging, our recent report with 451 Research revealed 36 percent of IT decision makers believe data security is a top concern within container environments.
This isn’t to say that organizations shouldn’t continue to move sensitive data to cloud hosted environments such as containers -- they absolutely should. But organizations would do well to recognize that data security is a shared responsibility. Together with the cloud provider, companies can design third party monitoring and data security controls into their systems to keep track and control of their data.
Don’t be discouraged!
Yes, it sounds complicated, but the pros continually outweigh the cons. Cloud solutions offer incredible value, enhanced capabilities and increase speeds of deployment.
However, this also means that organizations need to button up security and determine which solution fits best with their cloud strategy. I would define top-level data security best practices to share in the data security responsibility with your cloud provider as follows:
- Encryption and key management. All major providers offer Bring Your Own Key (BYOK) capabilities. BYOK allows enterprises to encrypt their data and retain control and management of their encryption keys.
- Layers of defense. For example, bring your own encryption, access control, and auditing with FIPS 140-2 key management when storing sensitive data in the cloud—especially when using object storage like Amazon S3.
- Set expectations with your provider, partner or contractor. By setting the right data security service level agreements (SLAs) with your partners from the beginning, will add confidence that third parties are handling your data with the appropriate controls. If you don’t set the expectation, they are likely to put in place the least expensive (and least secure) architecture.
A good place to start is by visiting the Cloud Security Alliance’s website. They provide numerous resources that can help your organization decide on its best cloud security strategy. Also, look for data security vendors that offer a platform approach to delivering all the services recommended above and more. This will ultimately reduce your operational costs and simplify expanding data security across multiple cloud vendors and on-premises solutions.
As for Tesla, they appear to be transparent and are responding to this incident in all the correct ways and I’m sure that they will learn from it. As they usher in the age of autonomous vehicles, they know how important it is to protect their vehicle data. This incident should serve as a reminder to organizations that it is critical to protect your most sensitive data, especially when this data can cause detrimental harm to customers and the organization.
Charles Goldberg, Senior Director Product Marketing and Analyst Relations, Thales eSecurity, is a successful marketing and product management leader with 20 years of experience across the networking and security industry. He also serves as a motivational manager for direct and indirect virtual teams. Before joining Thales he served as senior director of product marketing for SafeNet (now Gemalto). Charles received his bachelor’s degree in electrical engineering and computer engineering from NYU -- Poly and his master’s degree in computer science from The Johns Hopkins University.