Many companies have turned to the cloud to and in the process potentially exposed their sensitive data from the variety of threats the internet contains. Understanding non-functional requirements will improve the security and recovery of important information. Understanding the growing use of cloud infrastructure and the associated shared responsibilities will keep companies secure.
When using software-as-a-service (SaaS) you are accountable for the security of your data and need to ensure it is accessed appropriately by the correct individuals in your organization. This includes correctly identifying and managing their access over time. The vendor is responsible for providing you the proper tools to perform this action.
When using infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS), you are additionally accountable for the security of your workloads and need to ensure the underlying application and infrastructure components are not misconfigured. Again, the vendor is responsible for providing you the proper tools to perform all these actions.
IaaS/PaaS providers are increasing the productivity of your developers and making organizations extraordinarily agile. None of this happens without some upfront planning and ongoing monitoring. The risk of immediate and grand-scale loss of data continues to grow.
These might be caused by misconfigurations. For example, it might be an AWS S3 bucket exposed to be publicly readable, if the data contained is to be private. Because setting up IaaS/PaaS configurations is a series of checkboxes, it is critical to understand what each checkbox does or doesn’t do. You need to get the basics right or face losing the opportunity for business acceleration. And a lot of bad press!
The other component of risk is the majority of threats to data in the cloud result from compromised accounts and insider threats. 80% of organizations are going to experience at least one compromised account threat in the cloud this month. 92% currently have stolen cloud credentials for sale on the Dark Web. (see table below)
Some additional key facts from the 2019 McAfee report to consider include:
21% of all files in the cloud contain sensitive data, up 17% over the past two years.
The number of files with sensitive data shared in the cloud has increased by 53% YoY.
Sharing sensitive data with an open, publicly accessible link has increased by 23% over the past two years.
94% of IaaS/PaaS use is in AWS, but 78% of organizations using IaaS/PaaS use both AWS and Azure.
Enterprise organizations have an average of 14 misconfigured IaaS/PaaS instances running at one time, resulting in an average of 2,269 individual misconfiguration incidents per month.
5% of AWS S3 buckets have world read permissions, making them open to the public.
The average organization generates over 3.2 billion events per month in the cloud, of which 3,217 are anomalous, and 31.3 are actual threat events.
Threat events in the cloud, i.e., compromised an account, privileged user, or insider threat have increased 27.7% YoY.
80% of all organizations experience at least 1 compromised account threat per month.
92% of all organizations have stolen cloud credentials for sale on the Dark Web.
Threats in Office 365 have grown by 63% in the last two years.
The average organization uses 1,935 unique cloud services, an increase of 15% from last year. Most organizations think they use about 30.
To address these concerns, start with an understanding of security responsibilities.
Next, follow these steps continuously during and after your deployment
Audit Configurations
There are a number of audit tools available to help companies address these issues and correct. Some are supplied by vendors and some by the cloud providers.
Understand which cloud services hold most of our sensitive data.
Office 365, DropBox. and Box are some of the most common locations. Reduce risk exposure by extending data loss prevention (DLP) policies to control what can enter or exit them.
Lockdown sharing, again where our sensitive data lives.
Collaboration controls allow you to eliminate irreversible exposures like documents set to “anyone with a link”, and generally limit sharing to other risky destinations like personal email addresses.
1 Cloud Adoption and Risk Report, 2019 McAfee https://www.mcafee.com/enterprise/en-us/solutions/lp/cloud-adoption-risk.html
Comments