The 2019 'Cloud Adoption and Risk Report' from McAfee has been published, and some of the statistics make for very uncomfortable reading if you are a security professional. While the headline takeaway that 21 percent of files in the cloud contain sensitive data is bad enough, that the number of enterprises sharing this data via an open and publicly accessible link has risen by 23 percent over the last two years is perhaps even more concerning.
With eight percent of all files shared in the cloud containing sensitive data and enterprises having an average of 14 misconfigured infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances running at one time, the picture becomes even less reassuring. If you turn that last percentage into individual misconfiguration incidents it becomes an average of 2,269 per month.
No wonder then, that 80 percent of all organisations see at least one compromised account threat every month, and 92 percent now have stolen credentials being offered for sale on Dark Web markets as a result. Breaking down the cloud-based threat activity further reveals the average enterprise will experience 12 compromised account incidents per month (threat actor uses stolen account credentials to access cloud data), 14 insider incidents (unintentional mistakes and malicious activity alike) and four privileged user threats (admin modifying security settings that actually weakens security unintentionally).
"Operating in the cloud has become the new normal for organisations, so much so that our employees do not think twice about storing and sharing sensitive data in the cloud," Rajiv Gupta, senior VP of cloud security business at McAfee said.
So just what should enterprises be doing to mitigate this rather obvious and worrying set of cloud security faux pas?
Title: Cloud Adoption and Risk Report 2019
Summary: McAfee identifies the biggest risks to data stored in the cloud
Report type: Research report
Topic: Risk analysis
Description: Based on findings from actual usage data from over 30 million users worldwide, McAfee says it has identified the types of sensitive data stored in cloud services, how that data is shared within organisations and with outside partners and how risky employee behaviour can expose data.
It analysed billions of events in anonymised customers’ production cloud use to assess cloud deployments and uncover risks. It found the sharing of sensitive data in the cloud has increased 53 percent year-on-year. It says those who do not adopt a cloud strategy that includes data loss protection, configuration audits and collaboration controls will endanger their data security while exposing themselves to increased risk of regulatory noncompliance.
While organisations aggressively use the public cloud to create new digital experiences for customers, the average enterprise experiences more than 2,200 misconfiguration incidents per month in their infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances.
Stan Christiaens, CTO and co-founder of Collibra, told SC Media UK that for a successful long-term strategy, "setting a robust governance foundation, which in turn will provide consistency and transparency across the business data landscape, must be mandatory".
While Alan Calder, founder and executive chairman at IT Governance, points out that given much of this sensitive data may also be personal data, then "if there is a GDPR data breach the absence of a risk assessment or audit is likely to lead to a finding of negligence and fines linked to that level of negligence".
Then there are those AWS buckets to think about, considering that AWS is the cloud platform of choice within most enterprises.
McAfee found that 5.5 percent of all S3 storage buckets had world read permissions leaving them open to the public. Oh, and enterprises also have, on average, at least one S3 bucket with open write permissions meaning anyone could inject data into that business environment.
Steve Smith, senior site reliability engineer at Claranet, points out that as far as the security challenges around AWS S3 buckets are concerned, these "have little to do with the platform itself... and everything to do with the people using it, who are the biggest weakness here". Indeed, S3 buckets are now private by default, but Smith says, "It’s very easy to get things wrong if you don’t know how to use the platform."
While it would require security teams having access to all cloud storage, as well as personal cloud storage not being employed by users, "continuous and automated monitoring is the only way to avoid misconfigurations and loss of sensitive data," argues Sergio Loureiro, director of cloud solutions at Outpost24.
Misconfigurations are not only occurring at the file level, of course, but also within virtualised images at the VPC level and even within the playbooks/automations in provisioning, according to Dave Klein, senior director of engineering and architecture at GuardiCore.
"Utilise solutions that provide seamless visibility, detection and enforcement capabilities across the entire cloud environment," Klein advises.