Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/22/2021
10:00 AM
Paula Musich
Paula Musich
Commentary
50%
50%

On the Road to Good Cloud Security: Are We There Yet?

Misconfigured infrastructure is IT pros' top cloud security concern, but they're conflicted on how to address it in practice.

In early 2020, the "Verizon Data Breach Investigations Report" noted that the second-most common cause of data breaches behind hacking was errors such as misconfigurations. New research published by Enterprise Management Associates in January showed that IT security practitioners believe errors of the misconfiguration sort are the top risk posed to their organizations' use of cloud services.

The research, "Securing Cloud Assets: How IT Security Pros Grade Their Own Progress," found that among 14 different threats to cloud-based assets, the riskiest perceived threat was data loss or exposure due to misconfigured cloud infrastructure, according to 16% of respondents. Of course, the second-most risky threat to cloud-based assets was data exfiltration by malicious outsiders, at 14%.

Related Content:

Why Cloud Security Risks Have Shifted to Identities and Entitlements

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

It should be no surprise that this risk is a top concern for IT security practitioners. The movement of assets and workloads to the cloud gained real steam with the COVID-19 pandemic, which put digital transformation initiatives on steroids. Big breaches due to customer misconfiguration errors (like the CapitalOne breach in 2019) also get plenty of attention in the press, keeping IT security executives up at night.

Security Teams Appear Conflicted on Cloud Security
Although most IT security teams are well past being the department of no when it comes to cloud initiatives, many are still struggling with how to best secure those cloud-based assets — at least when they are tasked with doing so.

Others believe they are getting a handle on the problem, and the research uncovered plenty of confidence in security organizations' ability to protect assets and workloads in the cloud.

  • 90% of respondents said they were either very or extremely confident in their security team's awareness of all cloud usage.
  • 87% of respondents were either very or extremely confident in their security team's knowledge of and categorization of all data stored in the cloud.
  • 87% said their security teams were either very or extremely knowledgeable of cloud security requirements.
  • 94% rated their security team's understanding of the shared responsibility model for cloud security as well or very well.

The research also uncovered a disconnect that raises the question: Is that confidence misplaced? When asked to rate the level of visibility the security team had into their organization's use of specific cloud service types, including software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), that same level of confidence faltered. For example, when asked to rate the security team's level of visibility into their organization's SaaS usage on a five-point scale, with 1 being the highest level, only 18% gave it a 1 and 27% gave it a 2. Visibility into PaaS and IaaS was rated as only slightly better.

Who Secures What Part of the Cloud?
At the same time, respondents' knowledge of the shared responsibility model was found to be lacking. When asked to indicate whether the customer or cloud provider was responsible for securing a list of seven different elements that make up an IaaS account, around half of respondents gave the wrong answer. Specifically, 63% erroneously indicated that the cloud provider was responsible for securing virtual network connections, 55% erroneously indicated that the cloud provider was responsible for securing applications, and 50% got it wrong when they said the cloud provider was responsible for securing users who were accessing cloud data and applications.

On the other side of the coin, 48% were wrong in thinking that the customer was responsible for securing the cloud provider's physical data center, and 47% thought it was the customer's responsibility to secure the cloud provider's physical data center network. To be fair, not all respondents were directly responsible for securing cloud assets and workloads, but most had a role in the acquisition of cloud security tools.

Translating Theory Into Practice
Clearly, learning how to better secure cloud usage is a work in progress. Understanding in theory how the shared responsibility model works flies out the door in practice when a systems engineer or developer accidentally configures an AWS S3 bucket so that it is open to public access. Much of the confusion stems from the architecturally rich but also complex proprietary platforms used by each cloud provider. One respondent in an open-ended question lamented that to properly secure cloud assets required an expert for each of the cloud services. Good cloud security practices also require closer collaboration between those spinning up new workloads or configuring new cloud accounts, such as developers in the case of IaaS or PaaS, and those responsible for securing their organization's cloud-based assets.

At the same time, IT security teams responsible for securing their organization's cloud usage should also advocate for more and better training of those who will ultimately create those cloud workloads or accounts to ensure they understand how to avoid potentially costly misconfiguration mistakes.

Paula brings over 30 years of experience covering the IT security and networking technology markets. She has been an IT security analyst for 10 years, currently as a research director at Enterprise Management Associates. Prior to joining EMA she served as a research director ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...
CVE-2019-10062
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
CVE-2020-23995
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.