Cloud misconfigurations are no laughing matter. In its “2020 Cloud Misconfigurations Report,” DivvyCloud revealed that 196 separate data breaches involving cloud misconfigurations had cost companies a combined total of approximately $5 trillion between January 1, 2018 and December 31, 2019. The problem is that those costs could be even higher; as reported by ZDNet, 99% of IaaS issues go unreported. Organizations could therefore be leaking data from their cloud environments without their knowledge.
This reality raises several questions. Are IT professionals concerned about the security of their employers’ cloud environments against misconfiguration incidents? And what security controls do they have in place to mitigate these risks?
To answer these questions, Tripwire partnered with Dimensional Research to survey 310 professionals who held IT security responsibilities for the public cloud environments at organizations with more than 100 employees. These individuals came from more than a dozen different sectors, and they held various positions of leadership across the Americas, EMEA and APAC. Their responses help to illuminate the digital resilience of organizations’ cloud environments and how IT professionals view their employers’ cloud security posture.
Cloud Security Concerns Underscored by Lack of Technical Controls
Respondents to Tripwire’s survey revealed that they’re specifically worried about their employers’ cloud security. Indeed, 37% of participants indicated that risk management capabilities in the cloud were at least somewhat worse in the cloud than in other parts of the organization’s infrastructure. It therefore follows that many IT professionals were concerned about the impact that some digital threats could have on their employers’ cloud-based assets. Case in point, a majority (93%) of individuals expressed their worry that human error could cause their employers to accidentally expose their data hosted in the cloud.
Those findings coincided with a lack of proper cloud security controls at many organizations. For instance, just 21% of respondents informed Dimensional Research that their employer assessed their cloud security posture in real time or near real time. That’s the same rate for those who implemented weekly assessments, and it was just less than the proportion of IT professionals whose organizations implemented monthly tests at 22%.
Organizations need real-time visibility into their cloud security posture. Without a dynamic view of their environments, they might not have the means to remediate potential issues before they evolve into security incidents. This could allow digital attackers to target their cloud-based assets and data.
Along these same lines, nearly a quarter (22%) of survey participants admitted that their organizations were stuck using manual processes to assess their cloud security posture. The issue with these types of assessments is that security professionals could easily forget to include something in their evaluations. Not only that, but these personnel need to juggle many different tasks from one day to the next, and with only 24 hours in a day, cloud security could go unchecked. This would also create a window of opportunity for malicious actors seeking to gain entry to and exfiltrate data from the organization’s cloud environment.
IT professionals told Dimensional Research that additional security challenges could further hamper their employers’ cloud security. These included the following:
- More than three-quarters (76%) of security professionals said it was difficult for their organizations to maintain secure configurations in the cloud.
- Just 22% of survey participants said their organizations maintained continuous compliance with cloud security regulations and standards. Far more than that (58%) admitted that their employers engaged in periodic reviews instead.
- Nearly all (92%) respondents said that their employers would benefit from more automation in their security enforcement automation. This belief prevailed despite the revelation from 91% of IT professionals that their employers already used some form of automated enforcement in the cloud.
Security Frameworks at Work for Some Respondents’ Employers
Many organizations did have some cloud security measures in place. About half of survey participants told Dimensional Research that their organizations used NIST’s security framework to protect their cloud environments. A slightly lower percentage of survey participants (46%) said that they used the Center for Internet Security cloud benchmarks, while just 19% revealed that their organizations leveraged controls developed by the Defense Information Systems Agency (DISA).
Even so, these security frameworks can’t alleviate some of the burden of maintaining security in the cloud. Here’s Tim Erlin, vice president of product management and strategy:
Security teams are dealing with much more complex environments, and it can be extremely difficult to stay on top of the growing cloud footprint without the right strategy and resources. Fortunately, there are well-established frameworks, such as the CIS benchmarks for cloud, which provide prioritized recommendations for securing the cloud. However, the on-going work of maintaining proper security controls often goes undone or puts too much strain on resources and leads to human error.
Acknowledging that fact, organizations would be wise to automate their cloud account security. They can specifically use solutions like Tripwire Configuration Manager to automate configuration policy enforcement, thereby minimizing human error. These tools should work across multiple cloud environments to provide organizations with comprehensive visibility.
For more detailed findings, please view Tripwire’s survey here.