natali_mis - stock.adobe.com
The recent Capital One data breach affecting 100 million customer accounts was blamed on a cloud server misconfiguration, which is among several common problems, a survey reveals.
A study from security firm Tripwire found that 84% of organisations find maintaining security configurations across cloud services “difficult” – out of those, 17% said it was “very difficult”, and 75% fear that it is “easy” to expose data accidentally through the cloud.
The study, based on a poll of 150 security professionals attending Black Hat Las Vegas 2019, also revealed that only just over half (54%) said they had configuration management in place for the cloud.
Less than half (49%) said they had file integrity monitoring (FIM) capabilities enabled for the cloud to alert to inadvertent exposure of cloud data to the public.
Another similar survey shows that while 42% of organisations say they are concerned about cloud security and 37% of those polled had already experienced a cyber attack on their cloud systems, 27% do not know how quickly they could tell if their cloud data had been compromised and only 19% carry out security testing on their cloud environment only once a year, while 11% never run any security testing.
The Tripwire survey shows that organisations are typically faced with managing a complex, mixed environment. More than three-quarters (77%) of professionals said that their organisation had more than 10% of their workloads in the cloud, 49% have more than half of their organisation’s data/workload in the cloud, and 13% said that more than three-quarters of their organisation’s data/workload resided the cloud.
Although the shared responsibility model dictates that the cloud provider and cloud user is accountable for different aspects of security and must work together to ensure full coverage, the survey reveals that, for many organisations, the exact nature of these responsibilities is unclear.
Only 27% said the responsibilities were “very clear”, while 28% said the model was “not clear” and the majority (45%) said the model was only “somewhat clear.”
“While cloud providers may take responsibility for securing their infrastructure, moving to the cloud doesn’t absolve you from the responsibility of protecting your own data,” said Tim Erlin, vice-president of product management and strategy at Tripwire.
“The cloud doesn’t magically protect the data and systems that you put in there. There’s a new incident reported every few weeks that stresses the need to extend basic security controls to cloud environments.
“Organisations need to ensure they’re implementing critical security controls regardless of where the systems reside,” he added.
According to Tripwire, it is important for organisations using cloud-based services to keep track of the attack surface, minimise it with secure configuration and vulnerability management, and monitor it for changes.
Read more about cloud security
- More than a third of organisations report a cyber attack on the cloud environment due to a lack of basic cloud security hygiene.
- Digging into the cloud security arguments of the Capital One data breach.
- Despite accelerated adoption of public cloud services by companies keen to benefit from increased efficiency, scalability and agility, most security professionals have reservations.
- Transitioning to cloud-based services offers businesses an opportunity to improve security capabilities.
- Digital Darwinism unkind to those who wait, says Palo Alto Networks.