IBM recently announced the results of a global study which found that data breaches in 2021 cost the companies studied $4.24 million per incident on average. For those of you keeping track, this is the highest cost in the 17-year history of the report.
Are these hoody-wearing bad-actors sitting in some evil country, working overtime to hack our system walls and breach our data? In many cases, the employees sitting down the hall inadvertently leave the doors wide open to breaches.
Most of the scenarios that allow data breaches to occur are simple misconfigurations or human error. This happens when a security administrator or end user fails to properly set up certain security attributes. Thus, access to a compute or storage server in the cloud is left wide open and vulnerable to a breach – without any special talent required to rupture security.
In a recent report, McAfee connected the rise of cloud breaches and the state of multi-cloud adoption. Their report found that, in recent years, nearly 70 percent of exposed records—5.4 billion total—were caused by unintentional Internet exposure due to misconfigured cloud services.
Even more alarming, McAfee found that most of these misconfigurations go unreported and, in many cases, unnoticed. This gets us to the heart of the matter, in that it’s humans doing something stupid that easily enables bad actors. What’s more, when the mistakes are found, they are often ignored or covered up because of the bad PR it would cause, or to avoid employee disciplinary actions.
Causes of Human Errors in Cloud Security
So, what mistakes do humans make when they set up their cloud security? While there are any number of reasons for the errors, here are the two most common:
Lack of Training and/or Experience
Obvious, I know. Most misconfigurations and other mistakes that unintentionally expose processing and data trace back to a lack of understanding about how the security settings work. This even includes a lack of knowledge about how to reconfigure the default security parameters, which would typically be good enough to keep outside intruders out.
In other words, hackers can usually bypass the default security settings created by the cloud provider to expose the data and/or the processing. Keeping default security parameters is the (sometimes literal) equivalent of using “admin” as a password.
This will be an ongoing problem because too many open positions that require cloud security skills chase too few qualified candidates. In many instances, enterprises hire less experienced and untrained staff just to get warm bodies in those seats so they can make some kind of progress. The result is that these sorts of mistakes will become more commonplace.
Cloud Providers Moving Too Fast
Since cloud computing is on-demand and providers are continuously improving their cloud services, including security, the ways in which security settings work often change. Yes, release notes go out with the release, but staffers often neglect to update their knowledge, typically because they have too much work on their plates and not enough time.
When something changes and the settings need to be updated, they don’t get updated. This results in exposures caused by the clients’ inability to keep up with cloud provider updates to their security features and settings.
In one breach case, a provider’s clients were automatically opted out of encryption until an agreement was read and accepted. Hackers exploited the fact that most clients initially left encryption off and they found easy access to cloud-based data.
The argument is then made that cloud providers should slow enough to allow their clients’ security staff to keep up. That approach creates its own set of problems, especially if the cloud providers hesitate to fix known vulnerabilities. Instead, the users and cloud providers need to get better coordinated to better adapt to these changes.
Guarding Against Cloud Security Breeches
In terms of what needs to be done to avoid cloud security misconfigurations and other mistakes that can invite breaches, the responsibility comes down to the client.
However, the cloud providers also need to be aware that they play a role in the solution. In the end, there needs to be a more coupled coordination to combat this problem.
Here are a few things that enterprises can focus on:
Peer Approved Configurations
Require peers to review the security settings and sign-off on their correctness. Yes, this means finding another cloud security admin to look at your work and make sure nothing was missed.
Issues around this include peers that become too chummy, and thus neglect to truly review the settings. Or those who would leverage this position around office politics, such as intentionally making a peer look bad.
Automated Configuration Checks and Testing
A much better solution would be to remove the humans from the process altogether using automated security checks and audits to find issues with settings and other configurations.
The advantage here is that these checks can occur in less than a minute, and report directly back to those charged with making the configuration mistake in the first place. They can promptly fix the issue without having to notify others.
You can find many of these tools in the world of DevOps, where security testing is common. This just extends the DevOps testing idea to security configurations, as well as applications and data, insuring that as many vulnerabilities as possible are removed. However, the investment must be made in the tools, as well as in skills and training. Otherwise, you’ll just end up with the same issues the tools were supposed to solve.
Also see: Best Website Scanners
Biggest Cloud Security Challenge?
Enterprises’ chief security and information officers have enough to worry about these days. However, human error around system security is a bigger problem than most understand. It’s a silent security secret for most enterprise, due to the lack of admission of the mistakes, and the lack of reporting when the mistakes are found. That’s according to the survey cited above.
So, the first step is to admit you have a problem. Next, take steps to correct the issues by identifying and understanding the core issues, and how to properly correct them. Unless you want your enterprise to make the morning news for all the wrong reasons, today would be a good day to review the current processes and procedures of your security system.