Current cloud security ‘grossly inadequate’, finds report

Attacks capitalizing on a rapid shift to the cloud have been pervasive, even before the pandemic.
27 May 2020

Covid-19 fueled cloud computing spending in 2020. Source: Shutterstock

  • Cloud misconfigurations cost businesses US$5 trillion in the last two years
  • Current cloud security practices are found to be inadequate 

According to the Flexera 2020 State of the Cloud Report, 57 percent of organizations have increased their budgets for cloud-based solutions as a response to the pandemic outbreak. 

Lockdown restrictions drove millions of businesses to ‘go digital’ and employees to work from home. Hence, for a majority, migrating to the cloud and adopting cloud-based solutions and platforms have played a crucial part in business continuity and sustainability in the longer term. 

As a ripple effect, bad actors and online criminal gangs are grasping this opportunity to profit. An uptick of cyberattacks was reported as businesses were scrambling to help their workforce set up home offices and access organizational systems. 

But attacks capitalizing on a rapid shift to the cloud have been pervasive, even before the pandemic, with misconfiguration errors listed as one of the top threats. 

report by Verizon revealed misconfiguration errors have been prominent since 2017. A majority relates to internet-exposed storage that is discovered by security researchers and unrelated third parties. 

It’s estimated that data breaches caused by cloud misconfigurations have cost companies worldwide up to US$5 trillion in 2018 and 2019, based on research by DivvyCloud

The risks of cloud misconfigurations are heightened as bad actors target new and often rapidly-deployed infrastructure set to accommodate teleworkers. 

Meanwhile, current security practices have been found to be ‘grossly inadequate’ to protect transient cloud infrastructure

The Accurics State of DevSecOps report examined present-day cloud security approaches and listed some of the best practices organizations can follow to reevaluate their approaches. 

Accurics co-founder & CEO, Sachin Aggarwal, said: “Our report clearly describes how current security practices are grossly inadequate for protecting transient cloud infrastructures, and why more than 30 billion records have been exposed through cloud breaches in just the past two years.” 

Cloud misconfigurations remains a viable threat

The misconfigurations of cloud technologies across the full cloud native stack are increasing the surface area for attacks and presenting opportunities for bad actors to target.

Aggarwal warned of the severity of the cases and companies being targets of malicious intent.

“The dangers are undeniable: high severity risks such as open security groups, overly permissive IAM roles, and exposed cloud storage services constituted 67 percent of the issues. This is particularly worrisome since these types of risks have been at the core of numerous high-profile cloud breaches,” Aggarwal shared in a press release

The report explores the concept of provisioning and managing cloud infrastructure through code to achieve agility and reliability. Essentially, this technique enables companies to embed security in the earlier stages of a DevOps lifecycle.

Despite organizations deploying top-notched security measures and assessments across infrastructure as code, the study highlighted that 90 percent of organizations allow privileged users to make configuration changes directly to the cloud infrastructure. This could result in cloud systems deviating from “the secure baseline established during development.”

“What’s needed is a holistic approach with consistent protection across the full cloud stack, as well as the ability to identify risks from configuration changes to deployed cloud infrastructure from a baseline established during development,” Aggarwal said. 

Without a doubt, consistent and close monitoring of cloud infrastructure is significant for early detection of possible vulnerability points and misconfiguration. Novice and veteran users of the cloud will fare better by staying abreast of cloud cybersecurity developments and consider the advances of next-gen technologies in strengthening one’s cloud security strategy.