Enterprises exposed to data loss by cloud configuration errors
Only 1% of misconfigured cloud environments are spotted and attackers are capitalising on this, claims McAfee
Almost every single misconfiguration incident (99%) that occurs in a public cloud environment is missed, according to new statistics from McAfee, exposing enterprises and other organisations to a hugely increased risk of undetected data breaches, and the risks and penalties that accompany them.
In its Cloud native: The infrastructure-as-a-service adoption and risk report, McAfee says enterprises are massively under-reporting misconfiguration incidents in infrastructure-as-a-service (IaaS) environments. The 1,000 businesses surveyed by McAfee claimed they averaged 37 IaaS misconfiguration incidents a month, but the actual figure was more like 3,500.
A full 90% of respondents to the study had experienced some kind of IaaS security issue, yet twice as many security practitioners believed they had not when compared to C-suite leadership. McAfee suggested that the speed and popularity of cloud adoption was leaving security professionals behind without access to the tools they need to prevent IaaS-related breaches, even though their bosses were well aware of the potential for greater risk.
This trend is exemplified in the recent breach of a misconfigured AWS S3 bucket belonging to an Ecuadorian data analytics firm, which resulted in the compromise of personal data relating to virtually every citizen of the South American country, including activist Julian Assange.
“In the rush toward IaaS adoption, many organisations overlook the shared responsibility model for the cloud and assume that security is taken care of completely by the cloud provider,” said Rajiv Gupta, McAfee’s senior vice-president of cloud security.
“However, the security of what customers put in the cloud, most importantly sensitive data, is their responsibility. To defend against the new era of cloud-native breaches, organisations need to use security tools that are cloud-native, purpose-built for cloud security and address their portion of the shared responsibility model.”
With IaaS deployments the fastest-growing area of the cloud thanks to speed, cost and reliability benefits, the fact that awareness of this common entry point for new cloud-native breaches (CNBs) is so low is a concern, said McAfee.
The firm said CISOs first need to be aware that CNBs don’t look like a typical malware attack – they land by exploiting configuration errors and native features of cloud infrastructure, from where they can easily expand to adjacent instances and steal sensitive data.
Read more about IaaS security
- Oracle Cloud Infrastructure is getting a multifaceted security boost as the company seeks to gain ground against AWS, Microsoft and Google for enterprise IaaS workloads.
- Enterprises need to continuously improve their cloud security posture. Catch up on the latest expert advice on AWS security tools and practices.
- Cloud penetration testing presents new challenges for information security teams. Here’s how a playbook from the Cloud Security Alliance can help inform cloud pen test strategies.
CISOs then need to take steps to check up on IaaS-native issues, such as continuous audits of their deployments, both to catch any initial configuration slip-ups and, more importantly, others that may creep in over time. In the survey, only 26% of security professionals said they had access to auditing tools.
The report also acknowledged that keeping track of security incidents in IaaS was becoming harder precisely because of the ease of spinning up new infrastructure, and a tendency to use multiple cloud environments within one business – Amazon Web Services, Microsoft Azure, and so on.
More than three-quarters of businesses say they use multiple public clouds, but McAfee’s statistics suggest that 92% do. The firm said IaaS was starting to look like “the new shadow IT”.
It warned that more data breaches would go under the radar if the gaps between perception and reality, and miscommunication between security pros and CIOs continued to go unaddressed.