• by Ray Schultz , April 13, 2020

A staggering 92% of firms are concerned that they are vulnerable to a data breach, according to State Of Cloud Security survey, a study by cloud security firm Fugue.

In addition, 84% are concerned that they have been hacked and don’t know it, and 76% feel that cloud misconfiguration will increase or remain the same. 

Cloud misconfiguration typically is caused by: 

• Lack of awareness of cloud security and policies — 52% 
• Lack of adequate controls and oversight — 49%
• Too many APIs and interfaces to adequately govern — 43% 
• Negligent insider behavior — 32%

Among the challenges firms face in managing cloud misconfiguration are:

• Human error in missing critical misconfiguration — 46%
• Human error when remediating critical misconfigurations — 45% 
• Difficulties in training team members on misconfigurations — 43% 

Of the companies polled, 47% spend more than 50 hours a week dealing with cloud misconfiguration, 37% from 10 to 50 hours and 14% spend less than 10 hours.

It may be for this reason that 83% of companies are transitioning to 100% distributed teams.

Fugue co-founder and CTO Josh Stella defines a distributed team as “a team that isn’t collocated at the same office or facility.”

Stella adds, “Any engineering team that wasn’t already 100% remote faces new challenges when transitioning to 100% remote. These challenges include making sure all devices used to access cloud services are secure, and that all team members are using secure access patterns.”

Mistakes during the transition “greatly increase the risk of a breach resulting from attackers exploiting the misconfiguration of cloud services,” Stella adds. “And organizations relying on aging, outdated virtual private network (VPN) technology may be creating large opportunities for bad actors to bypass perimeter security and infiltrate their networks undetected, putting cloud-based data at risk.”

Indeed, the study shows that 84% worry about security during this shift.

Companies report the following cloud misconfiguration incidents:

• Unauthorized access to instances or databases — 52%
• System downtime events — 39%
• Compliance violation events — 34% 
• Object storage breaches — 32% 

The types of cloud misconfigurations include:

• Security group rules (or firewall rules) — 44%
• Identity and access management — 40%
• Encryption at rest disabled (or not enabled) — 36% 

This can have an impact on email communications.

“In the age of Slack and video conferencing, your teams’ response to emails might be a bit slow or even unfamiliar. It’s a good idea to let the teams know what kind of communications are now going to be handled via email, and also to re-educate them on phishing and other kinds of email attacks via attachments, etc.

Stella continues that eemail “has advantages over other communications methods for things like policy changes, general announcements to the whole team or company, and long-form compositions. Just make sure people are looking at it, and they know how to avoid the dangers.

Asked what is needed to address cloud misconfiguration, 95% say automated detection and remediation, 30% cite better visibility into cloud infrastructure and 28% list timely notifications on dangerous misconfiguration and drift.

Stella concludes, “Cloud security is all about the correct configuration of cloud services, such as virtual servers, networks, and Identity and Access Management (IAM). It also includes the secure configuration of cloud-based services, such as email management solutions.”

He urges firms to “make sure your email service and team, whether run in-house or through a service provider, is up to the potential increased volume and security incidents that may result from remote work. Misconfigurations result in compliance violations, data leaks, and breaches.

Working with Propeller Insights, Fugue surveyed 300 IT, cloud, and security professionals.

These included DevOps engineers, cloud architects, security engineers, site reliability engineers(SREs), DevSecOps engineers, and application developers.