As many organizations have been forced to make a rapid shift to work-from-home to help stem the spread of COVID-19, a significant percentage of IT and cloud professionals are concerned about maintaining the security of their cloud environments during this period. The findings are a part of the State of Cloud Security survey conducted by Fugue.
The survey found that 96 percent of cloud engineering teams are now 100 percent distributed and working from home in response to the crisis, with 83 percent having completed the transition or in the process of doing so. Of those that are making the shift, 84 percent are concerned about new security vulnerabilities created during the swift adoption of new access policies, networks, and devices used for managing cloud infrastructure remotely.
“What our survey reveals is that cloud misconfiguration not only remains the number one cause of data breaches in the cloud, the rapid global shift to 100 percent distributed teams is creating new risks for organizations and opportunities for malicious actors,” said Phillip Merrick, CEO of Fugue. “Knowing your cloud infrastructure is secure at all times is already a major challenge for even the most sophisticated cloud customers, and the current crisis is compounding the problem.”
Because cloud misconfiguration exploits can be so difficult to detect using traditional security analysis tools, even after the fact, 84 percent of IT professionals are concerned that their organization has already suffered a major cloud breach that they have yet to discover (39.7 percent highly concerned; 44.3 percent somewhat concerned). 28 percent state that they’ve already suffered a critical cloud data breach that they are aware of.
In addition, 92 percent are worried that their organization is vulnerable to a major cloud misconfiguration-related data breach (47.3 percent highly concerned; 44.3 percent somewhat concerned). Over the next year, 33 percent believe cloud misconfigurations will increase and 43 percent believe the rate of misconfiguration will stay the same. Only 24 percent believe cloud misconfigurations will decrease at their organization.
Causes of cloud misconfiguration: Lack of awareness, controls, and oversight
Preventing cloud misconfiguration remains a significant challenge for cloud engineering and security teams. Every team operating on cloud has a misconfiguration problem, with 73 percent citing more than 10 incidents per day, 36 percent experiencing more than 100 per day, and 10 percent suffering more than 500 per day. 3 percent had no idea what their misconfiguration rate is.
The top causes of cloud misconfiguration cited are a lack of awareness of cloud security and policies (52 percent), a lack of adequate controls and oversight (49 percent), too many cloud APIs and interfaces to adequately govern (43 percent), and negligent insider activities (32 percent). Only 31 percent of teams are using open source policy-as-code tooling to prevent misconfiguration from happening, while 39 percent still rely on manual reviews before deployment.
Respondents cited a number of critical misconfiguration events they’ve suffered, including object storage breaches (32 percent), unauthorized traffic to a virtual server instance (28 percent), unauthorized access to database services (24 percent), overly-broad Identity and Access Management permissions (24 percent), unauthorized user logins (24 percent), and unauthorized API calls (25 percent). Cloud misconfiguration was also cited as the cause of system downtime events (39 percent) and compliance violation events (34 percent).
Many still rely on manual processes to defend against automated misconfiguration threats
While malicious actors use automation tools to scan the Internet to find cloud misconfigurations within minutes of their inception, most cloud teams still rely on slow, manual processes to address the problem. 73 percent use manual remediation once alerting or log analysis tools identify potential issues, and only 39 percent have put some automated remediation in place. 40 percent of cloud teams conduct manual audits of cloud environments to identify misconfiguration.
A reliance on manual approaches to managing cloud misconfiguration creates new problems, including human error in missing or mis-categorizing critical misconfigurations (46 percent) and when remediating them (45 percent). 43 percent cite difficulties in training team members to correctly identify and remediate misconfiguration, and 39 percent face challenges in hiring enough cloud security experts. Issues such as false positives (31 percent) and alert fatigue (27 percent) were also listed as problems teams have encountered.
The metric for measuring the effectiveness of cloud misconfiguration management is Mean Time to Remediation (MTTR), and 55 percent think their ideal MTTR should be under one hour, with 20 percent saying it should be under 15 minutes. However, 33 percent cited an actual MTTR of up to one day, and 15 percent said their MTTR is between one day and one week. 3 percent said their MTTR is longer than one week.
Managing cloud misconfiguration is costly
With cloud misconfiguration rates at such high levels and a widespread reliance on manual processes to manage it, the costs are predictably high for cloud customers. 49 percent of cloud engineering and security teams are devoting more than 50 man hours per week managing cloud misconfiguration, with 20 percent investing more than 100 hours on the problem.
When asked what they need to more effectively and efficiently manage cloud misconfiguration, 95 percent said tooling to automatically detect and remediate misconfiguration events would be valuable (72 percent very valuable; 23 percent somewhat valuable). Others cited the need for better visibility into cloud infrastructure (30 percent), timely notifications on dangerous changes (i.e., “drift”) and misconfiguration (28 percent), and improved reporting to help prioritize remediation efforts (8 percent).
About the survey
Fugue partnered with Propeller Insights to survey 300 IT, cloud, and security professionals, including DevOps engineers, cloud architects, security engineers, site reliability engineers (SREs), DevSecOps engineers, and application developers. Professionals from companies representing a variety of industries that use Amazon Web Services, Microsoft Azure, and Google Cloud Platform for cloud computing were surveyed. http://www.fugue.co