Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Paula Musich
Paula Musich

On the Road to Good Cloud Security: Are We There Yet?

Misconfigured infrastructure is IT pros' top cloud security concern, but they're conflicted on how to address it in practice.

In early 2020, the "Verizon Data Breach Investigations Report" noted that the second-most common cause of data breaches behind hacking was errors such as misconfigurations. New research published by Enterprise Management Associates in January showed that IT security practitioners believe errors of the misconfiguration sort are the top risk posed to their organizations' use of cloud services.

The research, "Securing Cloud Assets: How IT Security Pros Grade Their Own Progress," found that among 14 different threats to cloud-based assets, the riskiest perceived threat was data loss or exposure due to misconfigured cloud infrastructure, according to 16% of respondents. Of course, the second-most risky threat to cloud-based assets was data exfiltration by malicious outsiders, at 14%.

Related Content:

Why Cloud Security Risks Have Shifted to Identities and Entitlements

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

It should be no surprise that this risk is a top concern for IT security practitioners. The movement of assets and workloads to the cloud gained real steam with the COVID-19 pandemic, which put digital transformation initiatives on steroids. Big breaches due to customer misconfiguration errors (like the CapitalOne breach in 2019) also get plenty of attention in the press, keeping IT security executives up at night.

Security Teams Appear Conflicted on Cloud Security
Although most IT security teams are well past being the department of no when it comes to cloud initiatives, many are still struggling with how to best secure those cloud-based assets — at least when they are tasked with doing so.

Others believe they are getting a handle on the problem, and the research uncovered plenty of confidence in security organizations' ability to protect assets and workloads in the cloud.

  • 90% of respondents said they were either very or extremely confident in their security team's awareness of all cloud usage.
  • 87% of respondents were either very or extremely confident in their security team's knowledge of and categorization of all data stored in the cloud.
  • 87% said their security teams were either very or extremely knowledgeable of cloud security requirements.
  • 94% rated their security team's understanding of the shared responsibility model for cloud security as well or very well.

The research also uncovered a disconnect that raises the question: Is that confidence misplaced? When asked to rate the level of visibility the security team had into their organization's use of specific cloud service types, including software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), that same level of confidence faltered. For example, when asked to rate the security team's level of visibility into their organization's SaaS usage on a five-point scale, with 1 being the highest level, only 18% gave it a 1 and 27% gave it a 2. Visibility into PaaS and IaaS was rated as only slightly better.

Who Secures What Part of the Cloud?
At the same time, respondents' knowledge of the shared responsibility model was found to be lacking. When asked to indicate whether the customer or cloud provider was responsible for securing a list of seven different elements that make up an IaaS account, around half of respondents gave the wrong answer. Specifically, 63% erroneously indicated that the cloud provider was responsible for securing virtual network connections, 55% erroneously indicated that the cloud provider was responsible for securing applications, and 50% got it wrong when they said the cloud provider was responsible for securing users who were accessing cloud data and applications.

On the other side of the coin, 48% were wrong in thinking that the customer was responsible for securing the cloud provider's physical data center, and 47% thought it was the customer's responsibility to secure the cloud provider's physical data center network. To be fair, not all respondents were directly responsible for securing cloud assets and workloads, but most had a role in the acquisition of cloud security tools.

Translating Theory Into Practice
Clearly, learning how to better secure cloud usage is a work in progress. Understanding in theory how the shared responsibility model works flies out the door in practice when a systems engineer or developer accidentally configures an AWS S3 bucket so that it is open to public access. Much of the confusion stems from the architecturally rich but also complex proprietary platforms used by each cloud provider. One respondent in an open-ended question lamented that to properly secure cloud assets required an expert for each of the cloud services. Good cloud security practices also require closer collaboration between those spinning up new workloads or configuring new cloud accounts, such as developers in the case of IaaS or PaaS, and those responsible for securing their organization's cloud-based assets.

At the same time, IT security teams responsible for securing their organization's cloud usage should also advocate for more and better training of those who will ultimately create those cloud workloads or accounts to ensure they understand how to avoid potentially costly misconfiguration mistakes.

Paula brings over 30 years of experience covering the IT security and networking technology markets. She has been an IT security analyst for 10 years, currently as a research director at Enterprise Management Associates. Prior to joining EMA she served as a research director ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.