Cloud misconfigurations are no laughing matter. In its "2020 Cloud Misconfigurations Report," DivvyCloud revealed that 196 separate data breaches involving cloud misconfigurations had cost companies a combined total of approximately $5 trillion between January 1, 2018 and December 31, 2019. The problem is that those costs could be even higher; as reported by ZDNet, 99% of IaaS issues go unreported. Organizations could therefore be leaking data from their cloud environments without their knowledge. This reality raises several questions. Are IT professionals concerned about the security of their employers’ cloud environments against misconfiguration incidents? And what security controls do they have in place to mitigate these risks? To answer these questions, Tripwire partnered with Dimensional Research to survey 310 professionals who held IT security responsibilities for the public cloud environments at organizations with more than 100 employees. These individuals came from more than a dozen different sectors, and they held various positions of leadership across the Americas, EMEA and APAC. Their responses help to illuminate the digital resilience of organizations’ cloud environments and how IT professionals view their employers’ cloud security posture.Those findings coincided with a lack of proper cloud security controls at many organizations. For instance, just 21% of respondents informed Dimensional Research that their employer assessed their cloud security posture in real time or near real time. That’s the same rate for those who implemented weekly assessments, and it was just less than the proportion of IT professionals whose organizations implemented monthly tests at 22%. Organizations need real-time visibility into their cloud security posture. Without a dynamic view of their environments, they might not have the means to remediate potential issues before they evolve into security incidents. This could allow digital attackers to target their cloud-based assets and data. Along these same lines, nearly a quarter (22%) of survey participants admitted that their organizations were stuck using manual processes to assess their cloud security posture. The issue with these types of assessments is that security professionals could easily forget to include something in their evaluations. Not only that, but these personnel need to juggle many different tasks from one day to the next, and with only 24 hours in a day, cloud security could go unchecked. This would also create a window of opportunity for malicious actors seeking to gain entry to and exfiltrate data from the organization’s cloud environment. IT professionals told Dimensional Research that additional security challenges could further hamper their employers’ cloud security. These included the following:
Cloud Security Concerns Underscored by Lack of Technical ControlsRespondents to Tripwire’s survey revealed that they’re specifically worried about their employers’ cloud security. Indeed, 37% of participants indicated that risk management capabilities in the cloud were at least somewhat worse in the cloud than in other parts of the organization’s infrastructure. It therefore follows that many IT professionals were concerned about the impact that some digital threats could have on their employers’ cloud-based assets. Case in point, a majority (93%) of individuals expressed their worry that human error could cause their employers to accidentally expose their data hosted in the cloud.
- More than three-quarters (76%) of security professionals said it was difficult for their organizations to maintain secure configurations in the cloud.
- Just 22% of survey participants said their organizations maintained continuous compliance with cloud security regulations and standards. Far more than that (58%) admitted that their employers engaged in periodic reviews instead.
- Nearly all (92%) respondents said that their employers would benefit from more automation in their security enforcement automation. This belief prevailed despite the revelation from 91% of IT professionals that their employers already used some form of automated enforcement in the cloud.