More organisations are putting their sensitive data in the public cloud – so it comes as no surprise that cloud threats, and mistakes in SaaS, IaaS and PaaS implementation are at an all-time high.
That is the key finding from a new report by McAfee, which argues the old bugaboo of shared responsibility continues to kick in and give organisations a kick in the teeth when it comes to cloud security.
The study, the security firm’s latest Cloud Adoption and Risk Report, analysed aggregated and anonymised cloud usage data for more than 30 million users globally. Among the findings were that more than one in five (21%) of all files in the cloud contained sensitive data, while the sharing of sensitive data with a publicly accessible link has gone up 23% year over year.
Organisations have more than 2,200 individual misconfigurations per month in their infrastructure as a service and platform as a service public cloud instances, the report noted. In other words, this means an average of 14 misconfigured instances running at any one time. This makes for interesting reading when compared with findings from Netskope earlier this month, which found a plethora of violations among users’ systems based on the Center for Internet Security (CIS) benchmark. The vast majority of these were related to identity and access management.
Even more worryingly, the report found that 5.5% of AWS S3 buckets analysed were set to ‘world read’ permissions. This, as regular readers of this publication will be more than aware, can essentially be a come-and-steal-my-data plea to nefarious actors. As far back as July last year, AWS was sending emails to customers to ‘promptly review’ their S3 buckets and ensure world read was only for such instances as public websites or publicly downloadable content.
McAfee warned of the risks organisations are taking when it came to IaaS security, which encompasses the aforementioned identity and access, as well as applications, network controls and host infrastructure. As the shared responsibility model notes, providers are responsible for security of the cloud, while customers are responsible for security in the cloud.
Multi-cloud has become de rigueur; while 94% of IaaS and PaaS use is in AWS, more than three quarters (78%) of organisations have both AWS and Azure. Continuous auditing and monitoring of each infrastructure and platform configuration is the only way forward, the report argues.
“Operating in the cloud has become the new normal for organisations – so much so that our employees do not think twice about storing and sharing sensitive data in the cloud,” said Rajiv Gupta, McAfee SVP of cloud security. “Accidental sharing, collaboration errors in SaaS cloud services, configuration errors in IaaS/PaaS cloud services, and threats are all increasing.
“In order to continue to accelerate their business, organisations need a cloud-native and frictionless way to consistently protect their data and defend from threats across the spectrum of SaaS, IaaS and PaaS,” added Gupta.
Writing for this publication in April, Micah Montgomery, cloud services architect at Mosaic451, noted that AWS is highly secure, but only when configured properly – and it is companies’ responsibility to ensure so. Montgomery gave five tips to organisations: know what you are doing; know what data you have; take advantage of the tools available to secure your AWS environment; beware AWS’ complexity; and ask for help if needed.
“In a general IT environment, there is a management console for every area and tool,” wrote Montgomery. “Routers, switches, firewalls, servers, and data storage all have their own, different tools, and each tool has its own management console. Once you add a cloud environment, you add another management console.
“There are already hundreds of ways to screw things up in an on-premises data environment,” added Montgomery. “The cloud adds yet another layer of complexity, and organisations must understand how it will impact their overall cyber security.”
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.