“It’s Turtles All the Way Down” - FTC Focuses on AWS Security
Privacy Plus+
Privacy, Technology and Perspective
“It’s Turtles All the Way Down” - FTC Focuses on AWS Security. This week, let’s look at a recent Consent Order between the Federal Trade Commission (FTC) and ed tech platform, Chegg, and then consider what lessons can be drawn about Amazon Web Services (AWS).
But first – Here is an explanation of the Turtle Metaphor and an Overview of IT Services: The title of this post is well-worn, but we’ve never written it down until now. Instead, for a long time, we’ve talked about a story that we once heard in a poetry class (thank you Professor Willard Spiegelman!), and we’ll re-tell as follows:
An elderly lady who was a member of a garden club was listening politely to a lecture on the origins of the universe. After the lecture ended, the lecturer, a well-known expert on the Big Bang Theory, asked if there were any questions or comments. The lady raised her gloved hand and, once acknowledged, said:
“But sir, you have it all wrong.” The lecturer looked at her skeptically and asked:
“Well, what do you mean?” She explained:
“The World, in fact, sits on the back of a turtle.” Her certainty made him pause. He raised his eyebrows, took a breath, then replied:
“Interesting theory, Madame. Let me ask: What does that turtle sit on the back of?” Without missing a beat, she explained further:
“That turtle sits on the back of another turtle, of course.” He cocked his head, smiled, and, catching on, replied:
“And let me guess, that that turtle sits on the back of another turtle!” She beamed, exclaiming:
“Yes! It’s turtles all the way down!”
“It’s turtles all the way down” is an apt metaphor for information technology infrastructure because most IT service providers build their services on top of other services (provided by other IT service providers), most often ending with data storage services provided by AWS, Microsoft Azure, or Google. Associated data flows through this rich ecosystem. That is why data mapping—understanding and documenting where your data is, who is processing it, and how it is being used and secured—is so important. In this environment, AWS, Microsoft, and Google are terminal turtles, so to speak.
The big wrinkle is that few organizations can negotiate with AWS, Microsoft, or Google. Consequently, most organizations must accept the standard terms that come with AWS, Azure, or Google services. These contracts are unilaterally prepared and offered by those organizations as the parties with superior bargaining strength, among other things.
FTC Faults Chegg for Insufficient AWS Security (and a Data Breach): In late October, the FTC filed a Complaint against Chegg for its lax data security practices associated with using AWS storage, specifically, AWS’s Simple Storage Service (S3). Essentially, the FTC faulted Chegg for failing to configure the S3 services appropriately. Specifically, the FTC noted that Chegg:
· Failed to require its employees and contractors to use distinct access keys to access the S3 database;
· Failed to utilize multi-factor authentication (MFA);
· Failed to rotate access keys to the S3 databases;
· Failed to encrypt sensitive data;
· Failed to update its cryptographic hash;
· Failed to restrict access based on job role or function; and
· Failed to maintain written security and retention policies, provide adequate training, and monitor its systems adequately.
The FTC alleged that Chegg’s deficient security practices led to multiple data breaches. Rather than fight these allegations, Chegg decided to settle. Notable in the proposed Consent Order is that the FTC is requiring Chegg to provide a mechanism for consumers to access or delete their data, even though such access and deletion rights do currently not exist under any federal law.
Links to the Chegg Complaint and proposed Consent Order follow:
https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf
https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Decision-and-Order.pdf
Our thoughts: AWS arguably bears some responsibility here. In an ideal world, AWS, Azure, and Google should all offer security by default. By shifting the burden of configuring their various environments to their customers, those customers are disadvantaged, especially when they have no viable alternatives or power to negotiate the contractual terms (which also cap liability to the meager amount of fees paid). Interestingly, AWS may be having the same thoughts. We noticed an announcement on January 5th that S3 is now encrypted by default. A link to that announcement follows:
https://aws.amazon.com/blogs/aws/amazon-s3-encrypts-new-objects-by-default/
Regardless, organizations whose worlds sit upon turtles, like AWS, Azure, or Google, will want to ensure that their security settings are correctly configured. We would suggest taking a closer look at Chegg for specifics. Also, those organizations should ask their service providers who rely on AWS, Azure, or Google services for assurances in their contracts that those environments are securely configured. After all, “it’s turtles all the way down.”
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.