November 14, 2024 at 08:09AM
Misconfigured access controls in Microsoft Power Pages are exposing millions of sensitive records online, as many sites fail to implement necessary security measures. This widespread issue affects various industries, allowing unauthorized access to personal data, including that of 1.1 million NHS employees. Awareness exists, but negligence persists among developers.
### Meeting Takeaways:
1. **Overview of Power Pages**:
– Microsoft Power Pages, launched in 2022, is a low-code website-building platform aimed at creating externally facing sites such as employee portals and event management sites.
2. **Security Vulnerability**:
– A significant number of sensitive records and personal data are exposed on the internet due to misconfigured access controls within Power Pages.
– Only 5 million to 7 million exposed records were found in a study conducted by Aaron Costello, revealing notable security gaps among organizations with cybersecurity disclosure policies.
3. **Access Control Issues**:
– Power Pages offers different levels of access control (site-level, table-level, and column-level), but many sites are failing to implement these correctly.
– Many sites provide excessive access to users, leading to the exposure of confidential data. Some sites grant global access to anonymous users or allow anyone to register and access restricted information.
4. **Real-World Example**:
– A breach involving a large business service provider leaked personal information of 1.1 million employees of the UK’s National Health Service, including sensitive details like phone numbers and addresses.
5. **Industry-Wide Concern**:
– The issues observed with Power Pages are not unique; similar vulnerabilities have been reported in other SaaS platforms like Salesforce and ServiceNow. The root issue is often a misunderstanding of access controls rather than flaws in the software itself.
6. **User Awareness and Technical Competence**:
– Although Microsoft issues warning banners for misconfigured data access, organizations frequently ignore these alerts.
– The nature of low-code platforms attracts less technical users, potentially leading to greater misconfigurations due to a lack of understanding of necessary access controls.
7. **Call to Action**:
– Organizations using Power Pages must improve their understanding and implementation of access controls to protect sensitive data and prevent exposure.
8. **Upcoming Event**:
– Notification about the Dark Reading Virtual Event on November 14 focusing on cybersecurity threats and incident response strategies.
### Recommendations:
– Organizations should conduct a thorough review of their Power Pages configurations and access controls.
– Invest in training for team members using low-code platforms to enhance their understanding of cybersecurity best practices.
– Regularly audit and test security measures to ensure compliance and safeguard sensitive information.