A staggering 92% of firms are concerned that they are vulnerable to a data breach, according to State Of Cloud Security survey, a study by cloud security firm Fugue.
In addition, 84% are
concerned that they have been hacked and don’t know it, and 76% feel that cloud misconfiguration will increase or remain the same.
Cloud misconfiguration typically is caused
by:
- Lack of awareness of cloud security and policies — 52%
- Lack of adequate controls and oversight — 49%
- Too many APIs and interfaces to
adequately govern — 43%
- Negligent insider behavior — 32%
Among the challenges firms face in managing cloud misconfiguration are:
- Human error
in missing critical misconfiguration — 46%
- Human error when remediating critical misconfigurations — 45%
- Difficulties in training team members on
misconfigurations — 43%
Of the companies polled, 47% spend more than 50 hours a week dealing with cloud misconfiguration, 37% from 10 to 50 hours and 14% spend less than 10
hours.
It may be for this reason that 83% of companies are transitioning to 100% distributed teams.
Fugue co-founder and CTO Josh Stella defines a distributed team as “a team
that isn’t collocated at the same office or facility.”
Stella adds, “Any engineering team that wasn’t already 100% remote faces new challenges when transitioning to
100% remote. These challenges include making sure all devices used to access cloud services are secure, and that all team members are using secure access patterns.”
Mistakes during the
transition “greatly increase the risk of a breach resulting from attackers exploiting the misconfiguration of cloud services,” Stella adds. “And organizations relying on aging,
outdated virtual private network (VPN) technology may be creating large opportunities for bad actors to bypass perimeter security and infiltrate their networks undetected, putting cloud-based data at
risk.”
Indeed, the study shows that 84% worry about security during this shift.
Companies report the following cloud misconfiguration incidents:
- Unauthorized
access to instances or databases — 52%
- System downtime events — 39%
- Compliance violation events — 34%
- Object storage breaches —
32%
The types of cloud misconfigurations include:
- Security group rules (or firewall rules) — 44%
- Identity and access management — 40%
- Encryption at rest disabled (or not enabled) — 36%
This can have an impact on email communications.
“In the age of Slack and video conferencing, your
teams’ response to emails might be a bit slow or even unfamiliar. It’s a good idea to let the teams know what kind of communications are now going to be handled via email, and also to
re-educate them on phishing and other kinds of email attacks via attachments, etc.
Stella continues that eemail “has advantages over other communications methods for things like policy
changes, general announcements to the whole team or company, and long-form compositions. Just make sure people are looking at it, and they know how to avoid the dangers.
Asked what is needed
to address cloud misconfiguration, 95% say automated detection and remediation, 30% cite better visibility into cloud infrastructure and 28% list timely notifications on dangerous misconfiguration and
drift.
Stella concludes, “Cloud security is all about the correct configuration of cloud services, such as virtual servers, networks, and Identity and Access Management (IAM). It also
includes the secure configuration of cloud-based services, such as email management solutions.”
He urges firms to “make sure your email service and team, whether run in-house or
through a service provider, is up to the potential increased volume and security incidents that may result from remote work. Misconfigurations result in compliance violations, data leaks, and
breaches.
Working with Propeller Insights, Fugue surveyed 300 IT, cloud, and security professionals.
These included DevOps engineers, cloud architects, security engineers, site
reliability engineers(SREs), DevSecOps engineers, and application developers.