The GDPR has been law since 2016 and been enforced since mid 2018. California has the CCPA in law, but not being enforced. In any case, it’s 2020 and we have lots of tools and knowledge about securing systems. We aren’t perfect, and certainly Microsoft isn’t, but we should be avoiding simple mistakes.
For those of us in the US, or outside CA, we might be less worried, but if you’re in the EU, you should be concerned. Here is a mistake by Virgin Media, with data exposed for months. Someone configured a database, likely set it up for access remotely, and didn’t do a good job.
It does start to feel that we ought to have some sort of security smoke test in every organization that checks for exposed databases in our networks. Perhaps we even ought to have this for all subscriptions with vendors that host services for us in the cloud. That might be good for IT people, but what about shadow IT, or the average person that just wants to share data with co-workers?
No one ought to be able to configure a file share, an S3 bucket, Azure BLOB Storage, or anything similar by clicking in some sort of control panel. Honestly, I get that vendors want to make things easy, but we need security over data in all organizations. There ought to be a “configured” click to share button that runs a series of scripts to ensure we have secure controls over resources. File shares might be hard, but for databases, there’s no excuse.
I do know that for some people, it’s a pain when they can’t create databases. I deal with customers regularly that have this restriction on developers, and it’s problematic. However, we need better security, and really, we need less real data being shared so widely. As an industry, we need better dev data sets, and we need better security protocols over any production data.