In early 2020, the "Verizon Data Breach Investigations Report" noted that the second-most common cause of data breaches behind hacking was errors such as misconfigurations. New research published by Enterprise Management Associates in January showed that IT security practitioners believe errors of the misconfiguration sort are the top risk posed to their organizations' use of cloud services.
The research, "Securing Cloud Assets: How IT Security Pros Grade Their Own Progress," found that among 14 different threats to cloud-based assets, the riskiest perceived threat was data loss or exposure due to misconfigured cloud infrastructure, according to 16% of respondents. Of course, the second-most risky threat to cloud-based assets was data exfiltration by malicious outsiders, at 14%.
It should be no surprise that this risk is a top concern for IT security practitioners. The movement of assets and workloads to the cloud gained real steam with the COVID-19 pandemic, which put digital transformation initiatives on steroids. Big breaches due to customer misconfiguration errors (like the CapitalOne breach in 2019) also get plenty of attention in the press, keeping IT security executives up at night.
Security Teams Appear Conflicted on Cloud Security
Although most IT security teams are well past being the department of no when it comes to cloud initiatives, many are still struggling with how to best secure those cloud-based assets — at least when they are tasked with doing so.
Others believe they are getting a handle on the problem, and the research uncovered plenty of confidence in security organizations' ability to protect assets and workloads in the cloud.
- 90% of respondents said they were either very or extremely confident in their security team's awareness of all cloud usage.
- 87% of respondents were either very or extremely confident in their security team's knowledge of and categorization of all data stored in the cloud.
- 87% said their security teams were either very or extremely knowledgeable of cloud security requirements.
- 94% rated their security team's understanding of the shared responsibility model for cloud security as well or very well.
The research also uncovered a disconnect that raises the question: Is that confidence misplaced? When asked to rate the level of visibility the security team had into their organization's use of specific cloud service types, including software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), that same level of confidence faltered. For example, when asked to rate the security team's level of visibility into their organization's SaaS usage on a five-point scale, with 1 being the highest level, only 18% gave it a 1 and 27% gave it a 2. Visibility into PaaS and IaaS was rated as only slightly better.
Who Secures What Part of the Cloud?
At the same time, respondents' knowledge of the shared responsibility model was found to be lacking. When asked to indicate whether the customer or cloud provider was responsible for securing a list of seven different elements that make up an IaaS account, around half of respondents gave the wrong answer. Specifically, 63% erroneously indicated that the cloud provider was responsible for securing virtual network connections, 55% erroneously indicated that the cloud provider was responsible for securing applications, and 50% got it wrong when they said the cloud provider was responsible for securing users who were accessing cloud data and applications.
On the other side of the coin, 48% were wrong in thinking that the customer was responsible for securing the cloud provider's physical data center, and 47% thought it was the customer's responsibility to secure the cloud provider's physical data center network. To be fair, not all respondents were directly responsible for securing cloud assets and workloads, but most had a role in the acquisition of cloud security tools.
Translating Theory Into Practice
Clearly, learning how to better secure cloud usage is a work in progress. Understanding in theory how the shared responsibility model works flies out the door in practice when a systems engineer or developer accidentally configures an AWS S3 bucket so that it is open to public access. Much of the confusion stems from the architecturally rich but also complex proprietary platforms used by each cloud provider. One respondent in an open-ended question lamented that to properly secure cloud assets required an expert for each of the cloud services. Good cloud security practices also require closer collaboration between those spinning up new workloads or configuring new cloud accounts, such as developers in the case of IaaS or PaaS, and those responsible for securing their organization's cloud-based assets.
At the same time, IT security teams responsible for securing their organization's cloud usage should also advocate for more and better training of those who will ultimately create those cloud workloads or accounts to ensure they understand how to avoid potentially costly misconfiguration mistakes.