Organizations are increasingly using cloud services to meet their operational needs, but most aren’t doing enough to safeguard their cloud-based assets. Several studies reveal that highly preventable configuration errors are triggering an inordinate number of security and compliance incidents, yet few organizations actively work to identify and correct them.
According to McAfee’s Cloud Adoption and Risk Report for 2019, organizations using Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) solutions have 14 misconfigured instances on average running at any given time, resulting in an average of 2,269 misconfiguration incidents per month. A separate study by the security firm Threat Stack reports that roughly three-quarters of all companies on AWS are suffering from some form of cloud misconfiguration that impacts security.
Common vulnerabilities include weak or default passwords, inactive data encryption, inadequate access restrictions and mismanaged permission controls — many of which result from human error and a lack of policy awareness. Another way users introduce vulnerabilities is by trying to personalize their cloud experience with plug-ins or setting changes that aren’t recorded, tracked or approved. Over time these ad-hoc changes can cause what’s known as “configuration drift” — a state of inconsistent configuration that creates management, availability and security problems.
Such errors create a direct threat to an organization’s data. In 2018, for example, a Los Angeles nonprofit organization exposed about 3.5 million records with personally identifiable information contained in an AWS S3 storage bucket that wasn’t password protected or encrypted. According to the McAfee study, more than 5 percent of all AWS S3 buckets in use today are misconfigured to be publicly readable.
Part of the problem is that cloud usage often creates a sense of complacency. Users assume that the cloud providers’ security measures somehow relieve them of any responsibility for data protection. Forrester Research analysts say that companies rarely protect cloud data with anywhere near the care they use with on-premises data.
The critical first step is to recognize that configuration is part of effective cloud security. The best security systems in the world cannot protect data that can easily be accessed by anyone with a browser. Organizations should also understand that cloud configuration is complex and provide IT personnel with the training they need to do it correctly.
Another issue is that many organizations simply can’t keep track of all the cloud resources they are running and how they’re configured. According to the McAfee report, the average number of cloud services in use per company grew from 1,682 to 1,935 over the past year. However, most organizations think they’re only using about 30.
With so many cloud assets available to so many users, keeping track of configuration changes is an overwhelming task. Until recently, most organizations that did try to audit their cloud infrastructure relied upon checklists, spreadsheets and manual reviews. Today, organizations can automate the process using scripts to spin up and configure resources and configuration management software to keep track of any changes.
Organizations of all sizes are increasingly dependent upon cloud services and applications to run their operations. However, many overestimate the data governance capabilities of cloud providers and are not adequately addressing misconfigurations that leave them vulnerable to data breaches. It is imperative to provide IT teams with the training and tools they need to effectively manage cloud configurations.