The personal information of students and teachers in India was exposed on the Internet for more than a year. The Digital Infrastructure for Knowledge Sharing (Diksha) app stored the data on an unprotected Azure cloud server. Diksha has made data privacy news before: last year, a report from Human Rights Watch found that the app was tracking students’ location and sharing that information with Google.
Note
- Practitioner’s note: If you’re not 100% confident that your cloud assets are appropriately secured from public access, test it! Try to access it from an account which shouldn’t be able to access your instance/storage blob/assumed role policy. You may still miss subtle misconfigurations, but you’ll catch the most egregious – like this one.
- Improper configuration of cloud resources is a preventable problem. The Center for Internet Security publishes and makes available for free foundation benchmarks for each of the major cloud service providers (Azure in this case). The benchmark contains security recommendations, and information on how to implement them, that improves the security posture of cloud resources.
Read more in
