“Through 2023, at least 99% of cloud security failures will be the customer’s fault.” That was one of the Strategic Planning Assumptions in Gartner’s “Magic Quadrant for Cloud Access Security Brokers,” released last week.
It raises the question, “99% of what?” How many cloud security failures are there? According to another report by McAfee that has come out this month: enough.
Virtually all of us are moving our assets to the cloud as quickly as we can. The cost savings, and particularly the backup and security, are superior. We must not forget, however, that there are still security issues we must address to protect our data in the cloud. Here’s why, and some things we can do.
McAfee’s evidence for its findings is based on cloud usage data for more than 30 million McAfee MVISION Cloud users worldwide. Here are some of their key findings:
• 21% of all files in the cloud contain sensitive data, up 17% over the past two years.
• Sharing sensitive data with an open, publicly accessible link has increased by 23% over the past two years.
• Enterprise organizations have an average of 14 misconfigured IaaS/PaaS instances running at one time, resulting in an average of 2,269 individual misconfiguration incidents per month.
• 5.5% of AWS S3 buckets have world read permissions, making them open to the public.
• Threat events in the cloud, i.e. compromised account, privileged user, or insider threat have increased 27.7% YoY.
• 80% of all organizations experience at least 1 compromised account threat per month.
• 92% of all organizations have stolen cloud credentials for sale on the Dark Web.
• Threats in Office 365 have grown by 63% in the last two years.
What to Do?
The McAfee report generally breaks down the problem into three issues:
• Misconfiguration of cloud installations on IaaS and PaaS services.
• Failure to limit export of sensitive data.
• Poor file sharing practices.
Given this diagnosis, their recommendations are straightforward:
• Audit AWS, Azure, Google Cloud Platform or other Iaas/PaaS configurations.
• Extend data loss prevention (DLP) policies to control what can enter or exit from the cloud services that hold most of your sensitive data.
• Limit file sharing to risky addresses like personal email addresses, and eliminate the option to share to “anyone with a link.”
Are You an “Over-Truster?”
In their survey, McAfee asked respondents how much they trusted their cloud providers to keep their organization’s data secure. 69% of respondents said that they trusted the cloud providers to keep their data secure, and yet cloud security is a shared responsibility and no cloud provider delivers 100% security. McAfee believes it’s likely, therefore, that organizations are underestimating the risk they are entering by trusting cloud providers without applying their own set of controls.