Corporate data at greater risk in the cloud than thought, report warns


Keumars Afifi-Sabet

1 Nov, 2018

Organisations are putting too much faith in cloud service providers’ ability to keep data secure without applying their own controls, researchers claim.

Companies sustain on average 14 misconfigured infrastructure-as-a-service (IaaS) instances at any given time, leading to 2,269 misconfiguration incidents per month, according to a report released this week.

McAfee’s ‘Cloud Adoption & Risk’ paper highlighted several concerning facets of cloud security, including the fact that sensitive corporate and personal data held and shared in the cloud is rising in conjunction with the number of security incidents.

The report found that 21% of files held in the cloud contain sensitive data – a rise from 17% in the past two years. Cloud threats, meanwhile, have risen in tandem – from 20.4 security incidents per month in 2016, to 24.5 in 2017, to 31.3 per month this year.

«As we all take advantage of the cloud, there’s one thing we can’t forget – our data,» the report said. «Even when using a SaaS service we are still responsible for the security of our data in the service and need to ensure it is only accessed appropriately.

«When using an IaaS/PaaS service, we additionally are responsible for the security of our workloads in the service and need to ensure that we are configuring the underlying application and infrastructure components appropriately.»

AWS leading the pack

The report pinpointed Amazon Web Services (AWS) S3 buckets as being culpable in the security gaps of many organisations, with an estimated 5.5% of all S3 buckets in use misconfigured to be publicly readable.

This chimes with findings published earlier this year that showed misconfigured S3 buckets play a significant role in 12,000 terabytes of publicly-exposed sensitive corporate data found online by researchers.

AWS «absolutely leads the pack» in terms of its popularity with organisations, playing host to 94% of all access events – although 78% of organisations use AWS in conjunction with Azure, typically as part of a multi-cloud strategy.

McAfee also stressed the dangers with misconfiguration come down to the data, with organisations deploying data loss prevention (DLP) strategies experiencing 1,527 DLP incidents per month on average.

Among the most common AWS misconfigurations seen are unrestricted outbound access, unused security groups discovered, and S3 bucket encryption not turned on.

‘The perception gap is shocking’

McAfee’s report also highlighted a number of glaring perception gaps with cloud security, including a total lack of awareness over the number of cloud services that employees believe are in use in their organisation.

A previous survey published in April showed that the average response when asked how many cloud services are deployed across an organisation was 31. The security firm’s latest findings show the reality is 1,935, on average.

«The perception gap is shocking,» the report said, «meaning that 98% of cloud services are not known to IT – leading to obvious cloud risk.»

Asked whether they trust their cloud providers to keep data secure, 69% of respondents to the previous survey said they did, while 12% claimed the service provider bears sole responsibility for securing their data.

But «cloud security is a shared responsibility» according to McAfee’s report, «and no cloud provider delivers 100% security (including data loss prevention (DLP), access control, collaboration control, user behaviour analytics (UBA), etc.)».

«It’s likely therefore that organisations are underestimating the risk they are entering by trusting cloud providers without applying their own set of controls,» it continued.

The insider threat

Senior site reliability engineer at IT management firm Claranet Steve Smith said the concerns raised aren’t as hinged on the services themselves, as they are on their users.

«The cloud security challenges highlighted in this report have little to do with the platform itself, but everything to do with the people using it and, in our experience, people are the biggest weakness here,» he said.

He added the major cloud providers, such as AWS, have a series of default settings designed to support configuration, but it’s easy to get things wrong without knowledge as to how to use the platform.

«We’ve seen many AWS configurations that end-user businesses have developed themselves or have worked with partners that don’t have the right experience, and, frankly, the configurations can be all over the place.

«A click of a button or slight configuration change can have a major impact on your security posture, so it’s important to get a firm grip of the access controls and have safeguards in place to catch mistakes before they hit the production environment.»

McAfee’s report revealed the majority of cloud security incidents – 14.8 of the 31.3 experienced on average per month – are insider threats. These may include straightforward but significant mistakes such as sharing a spreadsheet with sensitive personal data, or malicious activity such as a sales employee downloading a full contact list before leaving for a rival firm.

The research found 94.3% of organisations experience at least one such incident per month, which is true for 58.2% of organisations with privileged user threats – such as an administrator accessing data in an executive’s account.

Mitigating cloud risks

The security company issued three core recommendations as to how businesses and organisations can bolster their strategy, including routine audits, understanding where sensitive data is held, and locking down sharing.

Leading IaaS and PaaS configurations, such as AWS, Azure, and Google Cloud Platform are a rapidly-growing alternative to on-prem infrastructure, the report said, and so need to be regularly audited to get ahead of misconfigurations before «they open a major hole» in security outlays.

Some of the most sensitive data, meanwhile, is held on platforms such as Office 365 and Box. McAfee recommended in its report that organisations grasp where their most sensitive data is held in order to reduce exposure to risk, and extending DLP policies.

Controlling how data is shared, moreover, and implementing collaboration restrictions on documents can mitigate the risk of inadvertent exposure – for example by configuring share settings to «anyone with a link», or by sending documents to personal email addresses.