The State of Cloud Security survey conducted by Fugue Inc. has found that 84 percent of IT professionals are concerned about ensuring the security of cloud environments as a vast majority of companies are rapidly shifting to work-from-home as part of the measures taken to keep COVID-19 from spreading. These IT professionals are concerned that their organization has already suffered a major breach that they are not aware of, while 28 percent state that they’ve already suffered a critical cloud data breach that they are aware of.

The survey has also found that 96 percent of cloud engineering teams are now 100 percent distributed and working from home; 83 percent have either made the full transition or are in the process of doing so. 

The biggest concern is over the new security vulnerabilities that will be brought on by the swift adoption of new access policies, networks, and devices used for the remote management of cloud infrastructure.

The fear of cloud misconfiguration

A major data breach caused by cloud misconfiguration is giving 92 percent of IT professionals cause for worry over their organization’s vulnerability: 47.3 percent highly concerned; 44.3 percent somewhat concerned. Thirty-three percent believe that over the next year, cloud misconfigurations will increase and 43 percent believe the rate of misconfiguration will stay the same. Only 24 percent believe there would be a decrease in cloud misconfigurations at their respective organizations.

Fugue CEO Phillip Merrick says the survey reveals the following: 

  • Cloud misconfiguration is still the biggest cause of data breaches in the cloud
  • The rapid global shift to 100 percent distributed teams poses new threats to organizations and offers new opportunities to malicious actors

The causes of cloud misconfiguration

The following are the top causes of cloud misconfiguration, according to the survey’s respondents: 

  • Lack of awareness
  • Lack of controls and oversight
  • Too many cloud APIs and interfaces to adequately govern
  • Negligent insider behavior

All teams operating in the cloud have a misconfiguration problem: 73 percent cited more than 10 incidents per day, 36 percent experienced more than 100 per day, and 10 percent suffered more than 500 per day, while 3 percent had no idea what their misconfiguration rate is.

Only 31 percent of teams are using open source policy-as-code tooling to prevent misconfiguration from happening, while 39 percent still rely on manual reviews before deployment.

Meanwhile, respondents cited the following as among the critical misconfiguration events they’ve suffered: 

  • Object storage breaches
  • Unauthorized traffic to a virtual server instance
  • Unauthorized access to database services
  • Overly-broad Identity and Access Management permissions
  • Unauthorized user logins
  • Unauthorized API calls

The study’s respondents also attributed system downtime events and compliance violation events to cloud misconfiguration.

The study has also found the following additional findings:

  • 73 percent use manual remediation once alerting or log analysis tools identify potential issues. Only 39 percent have put some automated remediation in place. 40 percent of cloud teams conduct manual audits of cloud environments to identify misconfiguration.
  • Reliance on manual approaches to managing cloud misconfiguration introduces additional problems. Among these is human error in missing or miscategorizing critical misconfigurations (46 percent) and when remediating them (45 percent).
  • 43 percent cite difficulties in training team members to correctly identify and remediate misconfiguration. 39 percent also face challenges in hiring enough cloud security experts.
  • Other problems teams have encountered include false positives (31 percent) and alert fatigue (27 percent).
  • 55 percent think their ideal MTTR (Mean Time to Remediation—the metric for measuring the effectiveness of cloud misconfiguration management) should be under one hour, with 20 percent saying it should be under 15 minutes. However, 33 percent cited an actual MTTR of up to one day, and 15 percent said their MTTR is between one day and one week. 3 percent said their MTTR is longer than one week.
  • 49 percent of cloud engineering and security teams are devoting more than 50 man hours per week managing cloud misconfiguration. With another 20 percent investing more than 100 hours on the problem.

Towards effective and efficient cloud configuration

To be more effective and efficient in managing cloud configuration, the study’s respondents indicated the following as necessary: 

  • Tooling to automatically detect and remediate misconfiguration events
  • Better visibility into cloud infrastructure
  • Timely notifications on dangerous changes (i.e., “drift”) and misconfiguration improved reporting to help prioritize remediation efforts

Make sure your cloud-stored data is secure as you work to ride out the COVID-19 pandemic. Explore your options with TraitWare today.