Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/22/2021
10:00 AM
Paula Musich
Paula Musich
Commentary
50%
50%

On the Road to Good Cloud Security: Are We There Yet?

Misconfigured infrastructure is IT pros' top cloud security concern, but they're conflicted on how to address it in practice.

In early 2020, the "Verizon Data Breach Investigations Report" noted that the second-most common cause of data breaches behind hacking was errors such as misconfigurations. New research published by Enterprise Management Associates in January showed that IT security practitioners believe errors of the misconfiguration sort are the top risk posed to their organizations' use of cloud services.

The research, "Securing Cloud Assets: How IT Security Pros Grade Their Own Progress," found that among 14 different threats to cloud-based assets, the riskiest perceived threat was data loss or exposure due to misconfigured cloud infrastructure, according to 16% of respondents. Of course, the second-most risky threat to cloud-based assets was data exfiltration by malicious outsiders, at 14%.

Related Content:

Why Cloud Security Risks Have Shifted to Identities and Entitlements

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

It should be no surprise that this risk is a top concern for IT security practitioners. The movement of assets and workloads to the cloud gained real steam with the COVID-19 pandemic, which put digital transformation initiatives on steroids. Big breaches due to customer misconfiguration errors (like the CapitalOne breach in 2019) also get plenty of attention in the press, keeping IT security executives up at night.

Security Teams Appear Conflicted on Cloud Security
Although most IT security teams are well past being the department of no when it comes to cloud initiatives, many are still struggling with how to best secure those cloud-based assets — at least when they are tasked with doing so.

Others believe they are getting a handle on the problem, and the research uncovered plenty of confidence in security organizations' ability to protect assets and workloads in the cloud.

  • 90% of respondents said they were either very or extremely confident in their security team's awareness of all cloud usage.
  • 87% of respondents were either very or extremely confident in their security team's knowledge of and categorization of all data stored in the cloud.
  • 87% said their security teams were either very or extremely knowledgeable of cloud security requirements.
  • 94% rated their security team's understanding of the shared responsibility model for cloud security as well or very well.

The research also uncovered a disconnect that raises the question: Is that confidence misplaced? When asked to rate the level of visibility the security team had into their organization's use of specific cloud service types, including software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), that same level of confidence faltered. For example, when asked to rate the security team's level of visibility into their organization's SaaS usage on a five-point scale, with 1 being the highest level, only 18% gave it a 1 and 27% gave it a 2. Visibility into PaaS and IaaS was rated as only slightly better.

Who Secures What Part of the Cloud?
At the same time, respondents' knowledge of the shared responsibility model was found to be lacking. When asked to indicate whether the customer or cloud provider was responsible for securing a list of seven different elements that make up an IaaS account, around half of respondents gave the wrong answer. Specifically, 63% erroneously indicated that the cloud provider was responsible for securing virtual network connections, 55% erroneously indicated that the cloud provider was responsible for securing applications, and 50% got it wrong when they said the cloud provider was responsible for securing users who were accessing cloud data and applications.

On the other side of the coin, 48% were wrong in thinking that the customer was responsible for securing the cloud provider's physical data center, and 47% thought it was the customer's responsibility to secure the cloud provider's physical data center network. To be fair, not all respondents were directly responsible for securing cloud assets and workloads, but most had a role in the acquisition of cloud security tools.

Translating Theory Into Practice
Clearly, learning how to better secure cloud usage is a work in progress. Understanding in theory how the shared responsibility model works flies out the door in practice when a systems engineer or developer accidentally configures an AWS S3 bucket so that it is open to public access. Much of the confusion stems from the architecturally rich but also complex proprietary platforms used by each cloud provider. One respondent in an open-ended question lamented that to properly secure cloud assets required an expert for each of the cloud services. Good cloud security practices also require closer collaboration between those spinning up new workloads or configuring new cloud accounts, such as developers in the case of IaaS or PaaS, and those responsible for securing their organization's cloud-based assets.

At the same time, IT security teams responsible for securing their organization's cloud usage should also advocate for more and better training of those who will ultimately create those cloud workloads or accounts to ensure they understand how to avoid potentially costly misconfiguration mistakes.

Paula brings over 30 years of experience covering the IT security and networking technology markets. She has been an IT security analyst for 10 years, currently as a research director at Enterprise Management Associates. Prior to joining EMA she served as a research director ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32697
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
CVE-2020-19510
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
CVE-2020-19511
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2021-21422
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177