Cloud misconfigurations represent something that’s plaguing many organizations’ cloud adoption efforts. For example, a 2020 report found that 91% of cloud deployments contained at least one misconfiguration that left organizations exposed to potential digital threats. Those weaknesses contributed to more than 200 data breaches between 2018 and 2020, noted SC Magazine, with those security incidents exposing more than 30 billion records.
Another 2020 report found that misconfigurations were the underlying cause of 196 data breaches during the 2019 calendar year alone. According to that study, those security incidents exposed more than 33 billion records over a two-year period. TechRepublic put the total cost of those security incidents at $5 trillion using 2019 data from the Ponemon Institute.
These findings raise an important question: Are public cloud misconfigurations a concern for organizations in 2021? If so, what are organizations doing to address that worry?
The State of Organizations’ Cloud Insecurity
The Cloud Security Alliance (CSA) explored these questions, among others, in its “State of Cloud Security Concerns, Challenges, and Incidents” report. For this publication, CSA surveyed 1,900 IT and security professionals from December 2020 to January 2021. Their responses helped to illuminate how organizations are handling security issues like misconfigurations.
First, the report revealed that misconfigurations were a concern for many organizations. “Network security” was the most-selected response at 58% when respondents were asked to name their employers’ concerns with adopting the public cloud. Digging a little deeper into finding, the report found that organizations were most worried about sensitive data leakage but also had their cloud deployments’ “configuration and security settings” on their minds.
These security concerns weren’t unfounded. Indeed, 11% of survey participants told CSA that their organization had weathered a cloud-related operational incident in the preceding 12 months. Just 20% said that their employer had definitively not suffered a security incident. Meanwhile, 41% of IT and security professionals said that they were unsure whether a cloud security event had taken place—up from 18% in 2019.
Of those who knew that a security incident had occurred, 22% cited a security misconfiguration as the cause. (This was just behind the most common response of “cloud provider issues” at 26%.) Around that same percentage of respondents went on to tell CSA that it took their organization more than three hours to restore normal business operations following the incident.
Where Organizations Are Struggling with Their Cloud Security
Considering the experience of these incidents, it’s worth looking at organizations’ security postures in the cloud. Tripwire did this with the help of Dimensional Research by conducting a survey between the start of 2018 and the end of 2019. It found that 37% of participants considered their employer’s cloud-based risk management capabilities to be at least somewhat lacking compared to their counterpart measures deployed elsewhere in the network.
CSA’s study supported these findings. At least half of respondents said that they used cloud-native tools (52%) along with orchestration and configuration management solutions (50%) to manage their employers’ security in the cloud. Even so, more than a third (35%) said that they used home-grown scripts, with 29% admitting that they used manual processes.
“The issue with these types of assessments is that security professionals could easily forget to include something in their evaluations,” explained Ray Lapena, head of corporate communications at Tripwire. “Not only that, but these personnel need to juggle many different tasks from one day to the next, and with only 24 hours in a day, cloud security could go unchecked. This would also create a window of opportunity for malicious actors seeking to gain entry to and exfiltrate data from the organization’s cloud environment.”
Compounding this issue is the fact that many organizations hadn’t implemented network security controls in the cloud. Consider the following findings from Tripwire and Dimensional Research:
- Only 21% said that their employer assessed their cloud security posture in real time or near real time.
- Over three-quarters (76%) of respondents indicated that their employers struggled to maintain secure configurations in the cloud.
- Just 22% of survey participants stated that their employers maintained continuous compliance with relevant cloud security standards and regulations.
It’s imperative that organizations have real-time visibility into their cloud security posture. That includes the configurations of their cloud-based assets, as instances of configuration drift can serve as indicators of an ongoing attack. Without knowledge of those changes, organizations can’t proactively defend themselves against malicious activity such as the data exfiltration attempts mentioned above.
On the Need to Minimize Cloud-Based Misconfigurations
The findings discussed above highlight the need for organizations to strengthen their cloud security postures and minimize cloud-based misconfigurations going forward. That’s where Tripwire can help. Its Configuration Manager uses automated enforcement to help customers reduce human error when it comes to enforcing their security policies across their AWS, Azure and/or GCP deployments using a single console. Tripwire’s Configuration Manager then leverages prioritized risk scoring to help security teams address their highest risks first.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
