Majority of All Cloud Misconfigurations Go Unnoticed

• A McAfee report reveals that an overwhelming majority (99%) of all Infrastructure-as-a-Service (IaaS) misconfigurations are not reported to the cloud provider.
• Over 90% of users face security issues with IaaS configurations, however, only 26 percent of users are equipped to deal with misconfiguration challenges.

What was the research about?

McAfee researchers have published a new report titled “Cloud-Native: The Infrastructure-as-a-Service Adoption and Risk.”

What did they find?

This study was conducted among 1,000 IT professionals across 11 countries and cloud usage data from over 30 million McAfee Mvision cloud users was aggregated to compile the report.

• The report reveals that a majority (99%) of all Infrastructure-as-a-Service (IaaS) misconfigurations are going unnoticed.
• Only one percent of all misconfigurations in the IaaS is reported.
• Almost 42% of storage objects measured with recorded DLP incidents are misconfigured.
• Over 90% of users face security issues with IaaS configurations.
• However, only 26% of users are equipped to deal with misconfiguration challenges.
• It can take longer than 24 hours to over a month to address reported misconfigurations.

Researchers noted that these misconfigurations that go unnoticed can lead to an increased risk of data breaches.

Worth noting

The report also listed the top ten most commonly misconfigured settings in AWS, the most popular IaaS provider, which includes:

• EBS Data Encryption
• Unrestricted Outbound Access
• EC2 Security Group Port Config
• Provisioning Access to Resources using IAM Roles
• Unrestricted Access to Non-Http/Https ports
• Unrestricted Inbound Access on Uncommon Ports
• Unused Security Groups
• Unrestricted ICMP Access
• EC2 Security Group Inbound Access Configuration
• EC2 Instance Belongs to a VPC

Meanwhile, cloud security experts from Palo Alto Networks have warned about the most common three AWS misconfiguration mistakes, which includes

• Allowing outbound traffic by default
• Allowing internet access to Port 22
• Allowing internet access to Port 3389

Key Takeaway

Most IaaS users often overlook the security issues that come along with IaaS adoption and fail to report misconfigurations assuming that it is completely taken care of by the cloud provider. However, users are equally responsible for the security of the infrastructure and the data stored in the cloud.

“In the rush toward IaaS adoption, many organizations overlook the shared responsibility model for the cloud and assume that security is taken care of completely by the cloud provider. However, the security of what customers put in the cloud, most importantly sensitive data, is their responsibility,” Rajiv Gupta, Senior Vice President of Cloud Security at McAfee said.