A staggering 99% of misconfigured cloud servers in public cloud environments go undetected, according to cybersecurity firm McAfee, putting organisations at risk of a data breach.
The rise of infrastructure as a service (Iaas) – in which cloud providers such as Amazon’s AWS and Microsoft’s Azure effectively rent out the physical infrastructure for other organisations to store their data – has led to a growing number of security incidents caused by human error, as opposed to malware.
Recently, a company left a database containing the personal details of every Ecuadorian online without protection. In another example, Verdict discovered 212,000 Teletext Holidays customer call recordings left public on an AWS S3 bucket.
The problem has become so commonplace that the US Securities and Exchange Commission put out an alert in May this year warning organisations about the risks.
McAfee’s findings, published in ‘Cloud-Native: The Infrastructure-as-a-Service Adoption and Risk Report’, reveals just how widespread the problem of misconfigured public cloud servers is.
Surveying 1,000 enterprise organisations around the world and drawing from the anonymised, aggregated data of “millions of cloud users and billions of events” of its customers, McAfee found that 90% of companies have experienced some kind of security issue when it comes to IaaS.
The findings also showed that while companies claim misconfiguration incidents average 37 per month, the reality is actually 3,500.
99 problems and misconfigured servers is the main one
One way for organisations to keep on top of their cloud security is to carry out an audit of their misconfigurations. However, just 26% of organisations are equipped to do so, according to the findings.
Keeping track of misconfigured servers is made trickier still when companies use multiple cloud service providers. According to McAfee, 76% of respondents said they use multiple IaaS providers. However, McAfee puts the real figure at 92%, based on cloud usage data.
“In the rush toward IaaS adoption, many organisations overlook the shared responsibility model for the cloud and assume that security is taken care of completely by the cloud provider,” said Rajiv Gupta, senior vice president of cloud security at McAfee.
“However, the security of what customers put in the cloud, most importantly sensitive data, is their responsibility.
“To defend against the new era of cloud-native breaches, organisations need to use security tools that are cloud-native, purpose-built for cloud security and address their portion of the shared responsibility model.”