France: CNIL releases guidance on preventing attacks to cloud infrastructure
The French data protection authority ('CNIL') published, on 7 February 2022, guidance on security incidents related to configuration errors within public cloud storage spaces, as part of CNIL's quarterly review of a particular type of security incident. In particular, the guidance utilises a hypothetical scenario to illustrate how such attacks may occur and how they can be prevented. More specifically, CNIL outlined that such attacks may be caused by a publicly accessible bucket, overly permissive access rights for users, or inadequate user authentication mechanisms.
In light of this, CNIL recommended that logging should be used as a method to detect unauthorised access to cloud infrastructure and that the data protection officer ('DPO') should be updated during the course of the investigation, adding that, where an incident constitutes a breach of personal data, CNIL must be notified within 72 hours of discovery. Ultimately, CNIL listed seven key points that should be followed in order to prevent configuration errors and related attacks, which include knowing the cloud infrastructure, creating an inventory of cloud resources, limiting access to buckets and their contents, encrypting data at rest and in transit, frequently backing up any buckets, continually monitoring and auditing buckets and their contents, and conducting internal training for employees using the infrastructure.
You can read the guidance, only available in French, here.