The New York SHIELD Act: How to Protect Your AWS Cloud Infrastructure

blog image

This July marked the second anniversary of the devastating Equifax data breach. Nearly 150 million consumers were frantic with worry that their sensitive information — including Social Security numbers and driver’s license numbers — was in the hands of unknown hackers. These high-profile data breaches have extreme reverberations; consumers are put at risk, and companies are forced to compensate. Equifax will likely end up shelling out up to $700 million.

Representatives in New York have now responded to this disastrous breach with a new law that executes much stricter liabilities on companies that handle private consumer data. Subsequently, it provides more protection and transparency for New York consumers. Enter the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which the legislature passed on July 25th after being signed by Governor Andrew Cuomo.

The law, which will take effect on March 21st, 2020, has strict implications for businesses around the world who hold data from New York residents. The Act amends New York’s current data breach notification laws by expanding the legal definition of a “breach” and setting new rules for the way the state handles breaches. It also enforces rigorous penalties on companies that experience breaches of private consumer data — violations can result in fines up to $250,000.

So, what does this mean for you?

We’ve put together a comprehensive guide for you detailing what you need to know about the New York SHIELD Act and how to protect your AWS cloud infrastructure from breaches.

Principles of The New York SHIELD Act

Any breach of security must be disclosed without unreasonable delay to any New York resident whose private information was accessed or acquired by an unauthorized person. Your business needs to comply if you hold private digital data belonging to a resident of New York, even if you don’t do business in New York. So, this law has global implications — similar to the EU’s GDPR. Here are the newest updates produced by the law.

The definitions are changing

  1. The legal definition of private data is broadening to include;
    1. Account number and debit or credit card number — if such information could be used to obtain a resident’s financial account without a security code or password
    2. Biometric data — such as a resident's fingerprint, retina image or voice print
    3. Username or email — combined with password or security question answer
  3. The legal definition of a data breach is expanding to include unauthorized access to personal or private information. Previously, New York had defined a data breach as the unauthorized acquisition of personal or private information.

The law requires businesses to implement more security measures

  1. The law now states that any business that owns or licenses computerized data of a New York resident must implement “reasonable” security measures to protect the confidentiality and integrity of the private information. These security measures vary depending on the size of the business.
  2. The Act also enforces security standards for network and software, including information storage. You will be responsible for executing security measures for your cloud infrastructure, such as Amazon Web Services (AWS).
  3. Note: Businesses that are already in compliance with other information laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) are already compliant with the SHIELD Act.

Penalties

  1. The New York SHIELD Act doesn't approve private or class action litigation, but instead authorizes the Attorney General to impose civil penalties for consumer data breaches.
  2. The Attorney General may enforce penalties up to $250,000 for knowing and reckless data breach violations.

Many companies trust cloud service providers, like AWS, with a considerable amount of private consumer data. Consequently, cloud services are a huge target for attackers. Here are some tips to prevent a disastrous (and costly) shutdown.

How to Protect Your AWS Cloud Infrastructure

Gartner’s Magic Quadrant has ranked Amazon Web Services (AWS) as the top Infrastructure as a Service (IaaS) provider for eight years. However, with the ever-increasing abundance of attackers, you must take the proper security measures to lessen the impact of a hacker — and avoid gross negligence accusations. Here are five of our prescribed best practices for behaving responsibly.

  1. Know your liabilities

    If you are utilizing a cloud service, such as AWS, for the storage of consumer data, it is critical that you gain a clear understanding of where Amazon's responsibility ends and where yours begins. AWS and other cloud service providers consider security to be a shared responsibility between themselves and the customer —in this case, your business.

    For example, AWS is accountable for defending its infrastructure against attackers, detecting abuse and responding to incidents. As an AWS user, you are responsible for the proper configuration of your cloud environment, controlling access and monitoring for misuse. Read and understand the shared responsibility model — it’s vital that you identify who is liable if something goes wrong in your cloud environment.

  2. Secure Identity and Access Management (IAM) access keys

    IAM access keys are used to create and manage AWS users, so you need to assure that they are not vulnerable to being hacked. In addition to warranting that all users utilize multi-factor authentication for all logins, you must also not assign overly-permissive access. Only grant the permissions required for each user to perform their job.

    IAM keys can also become vulnerable to hackers if you and your users do not rotate them regularly. Change your access keys at least every 90 days and implement a firm password policy to secure your user accounts and prevent unauthorized access.

  3. Utilize tools offered by AWS

    There is often a lack of security visibility in cloud infrastructure due to a significant number of applications, logins and activities happening at all times. It can be very challenging to ascertain who is accessing what and where.

    AWS provides security services, such as CloudTrail, for customers to use for logging and monitoring user activities. When hackers get into your company's system, they may try to delete the logs in CloudTrail. To make sure you can quickly identify if unauthorized access has occurred, enable log file validation to trace changes to the log file, turn on access logging to track access requests and use multi-factor authentication.

  4. Protect custom applications

    IT security teams should participate in the development phase of custom applications to ensure end-user security. When working with apps, we recommend that you limit user privileges to prevent unrestricted access and enforce consistent data loss prevention policies across all applications and cloud Services.

    Additionally, organize and order your custom applications so the security team can quickly identify possible weaknesses and determine which security controls should be used to protect them. Don't forget, highly-sensitive data — such as protected health and personally identifiable information should always be encrypted.

  5. Enlist in a service to help.

    Though these cloud service vulnerabilities will vary from business to business, there are many ways for companies to secure their customer's data and protect themselves from the implications of the New York SHIELD Act. AWS is a dominant cloud partner to many of the biggest companies, and if you follow our tips outlined above, you can take advantage of the many benefits the cloud has to offer.

    Cloud Shield Pro will help you maintain a secure and healthy cloud by discovering suspicious activity and stopping damaging incidents and breaches.