Cost of cloud misconfigurations set at $5tn

The cost of cloud misconfiguration to enterprises has been set at $5tn (£3.85tn or €4.6tn) worldwide over the past two years, with 33.4 billion records exposed during 2018 and 2019 – up 80%. The statistics were revealed by Virginia, US-based DivvyCloud, a supplier of security and compliance automation for cloud and container environments.

In its 2020 Cloud misconfigurations report, DivvyCloud laid bare the financial and human cost of data leaks and exposure, and said the upward trend would inevitably persist as businesses adopt cloud services rapidly but fail to implement even basic security controls, even though the likes of Amazon Web Services (AWS) make it very easy to do so.

“Data breaches caused by cloud misconfigurations have been dominating news headlines in recent years, and the vast majority of these incidents are avoidable,” said Brian Johnson, co-founder and CEO of DivvyCloud.

“We know that more and more companies are adopting public cloud quickly because they need its speed and agility to be competitive and innovative in today’s fast-paced business landscape. The problem is that many of these companies are failing to adopt a holistic approach to security, which opens them up to undue risk. Secure cloud configuration must be a dynamic and continuous process, and it must include automated remediation.”

The report analyses publicly reported data exposure events, leaks and breaches attributed to dodgy cloud installations, suggesting that the true cost may be even higher. It found 81 breaches in 2018 and 115 in 2019, with the most breached companies in the technology industry (41%), healthcare (20%) and government (10%).

DivvyCloud also found that older businesses were more likely to screw up their data security practices in the cloud, with 68% of victims founded before 2010, while businesses founded since 2015 – which are much more likely to have adopted public cloud services from the start rather than migrating from on-premise infrastructure – were far less susceptible, accounting for just 6.6% of breaches.

It also reported that 42% of known affected enterprises had been through a merger or acquisition in the past five years, suggesting that cloud security was an area particularly at risk when disparate IT environments come together.

In terms of services breached, open source data search engine ElasticSearch was the most frequently implicated, with the number of breaches caused by ElasticSearch misconfigurations almost tripling between 2018 and 2019. Notable breaches during that period included the October 2019 breach at Adobe, which saw customer account information, including email addresses and account payment details, exposed, and the January 2019 breach at DIY chain B&Q, which exposed the personal details of people suspected of shoplifting from its stores. In both these cases, data leaked after an ElasticSearch database was left facing the public internet without password protection.

Other frequently compromised services included AWS Simple Storage Service (S3) buckets, which accounted for 16% of recorded data exposure events (down in 2019 from 2018), and MongoDB, which accounted for 12% of incidents.

Anthony Johnson, a former JPMorgan Chase CISO and now managing partner at cyber security consultancy Delve Risk, said in the report’s foreword that the sheer number of breaches was unsettling and frustrating because the underlying causes were rarely complex.

“Having an unprotected server is not an acceptable reason for a breach, nor is any other misconfiguration,” he wrote. “When moving at the speed that technology enables within the cloud, configuration management is key.”

Johnson said enterprises needed to hold themselves to higher standards, and that their negligence was evident in both the number and cost of breaches.

“Perhaps it would be more comforting if there were only a few industries experiencing these issues, but that is not the case,” he said. “This is a widespread problem affecting every industry, and it is something that we need to solve collectively. No industry or company can choose to ignore this problem because it is only gaining more momentum, and it is clearly not going away.”

DivvyCloud said organisations must move towards a continuous control security model and secure configuration enforcement that is constantly monitored and updated, reflecting the dynamic, software-defined nature of the cloud.

Solutions that provide high levels of automation will be essential, it added, particularly in large-scale hybrid cloud infrastructures, where automation can take the headache out of cloud security by giving organisations a framework for what they should be doing in a continuous, real-time process. This will also require cultural change, it said.

“As companies adopt cloud and container environments, they need to simultaneously take control of their cloud security models and fulfil their share of the responsibility if they wish to keep their cloud out of the news,” wrote the report’s authors.