A survey of cloud security professionals by Fugue has found that 36% of organizations suffered a serious cloud security leak or breach in the past 12 months — and 64% say the problem will get worse or remain unchanged in the year ahead.
The study also found that 32% say the causes of cloud misconfigurations are too many APIs and interfaces to govern, while 31% say a lack of controls and oversight, 27% say policy awareness, and another 23% say negligence.
“This year’s survey reveals that the complexities and dynamism of at-scale cloud environments outpace the ability of teams to keep them secure,” said Josh Stella, co-founder and CEO at Fugue. “Engineering and security teams continue to ramp up the time and resources they invest in cloud security, but say they still lack the visibility and automation they need.”
It’s pretty clear that these numbers will likely increase over time given the strong cloud migration we are seeing, said Camille Charaudeau, vice president, product strategy at CybelAngel.
“The cloud adds much more resiliency to organizations' infrastructure, but the drawback is the loss of visibility and control,” Charaudeau said. “From a detection standpoint, there’s no view into what happens inside a data center. There are limited possibilities to gain back this visibility, so the major cloud vendors will have to offer this to their customers.”
Heather Paunet, senior vice president at Untangle, said as technology evolves and moving to the cloud becomes more inevitable, there are several relatively easy to ways for companies to ensure security.
“Companies can deploy MFA for cloud-based tools, ensure proper employee onboarding/offboarding procedures, give employees access to only the cloud systems they absolutely need, consider a web application firewall, and use only trusted cloud hosting providers, such as Amazon Web Services or Microsoft Azure,” Paunet said.
By clearly identifying user roles and responsibilities for cloud services, and assigning the appropriate access, organizations can avoid inadvertent bad practices from leading to a security breach, said John Morgan at Confluera. Morgan said employing least privilege access also creates more accurate detection of malicious activities with behavior and machine learning-based tools designed to decipher between routine behaviors and malicious ones.
“IT decision-making in the wake of the cloud is centered around business agility, with the line-of-business having a much higher influence in lower-level decisions that must prove business return-on-investment to get IT funding from the line-of-business,” Morgan said. “Security decisions will gage the level of automation, shift left capabilities, tools that support multiple clouds, create better user experiences, and lower overall risks with tools to detect attacks and quickly respond to mitigate or stop damages specifically designed for the cloud. IT staffing decisions for the cloud will require cloud training and expertise.”