While most companies have adopted the public cloud and have moved at least some of their workloads or infrastructure to the cloud, confidence in cloud security is low. According to a recent study conducted by Vanson Bourne on behalf of Sophos, 96% of the 3,251 respondents to the survey said they were concerned about their current state of their cloud security.
The survey was conducted on IT managers in 26 countries, including the United States, United Kingdom, India, Australia, China, and Singapore. All participants used at least one cloud service from AWS, VMware Cloud on AWS, Azure, Oracle Cloud, IBM Cloud, Google Cloud or Alibaba Cloud. The findings were published in the Sophos State of Cloud Security 2020 report.
Fears about cloud security are not unfounded. 70% of companies that took part in the study reported having experienced at least one breach of their cloud environment in the past 12 months. 93% of respondents from India said they had experienced a cloud breach in the past year.
Misconfigurations were the most common cause of cloud data breaches. 66% had experienced a breach due to a security misconfiguration, either misconfigured cloud services that exposed data (22%) or misconfigured firewalls (44%). Theft of cloud credentials was also common, with the credentials often disclosed to attackers in response to phishing emails. 34% of businesses said they had experienced a malware attack in the past year and 28% had experienced a ransomware attack.
The risk of a data breach increased with the complexity of organizations’ cloud environments. Companies that used more than one public cloud provider experienced more security breaches that companies with only one provider. Identity management was found to be a problem. 91% of organizations had not followed the principle of least privilege and had overprivileged identity and access management roles. While multifactor authentication is essential for cloud provider accounts, 98% of respondents said it was disabled.
It is interesting that a lack of staff expertise was only rated as a concern by 1 in 4 organizations. Given the number of data breaches experienced, it would appear that organizations’ faith in the ability of their staff to secure cloud environments may be misplaced.
A lack of visibility into the entire cloud footprint is a major problem as without full visibility, vulnerabilities are likely to remain unaddressed. While a lack of visibility into the entire cloud footprint was an issue, it is interesting to note that 92% of respondents from India claimed they had full visibility into their cloud environment, yet 93% had suffered a data breach. According to Sophos, the high number of data breaches can be explained by poor cyber hygiene that resulted in vulnerabilities being introduced which could easily be exploited by cybercriminals to gain access to sensitive data and install malware and ransomware.
“The recent increase in remote working provides extra motivation to disable cloud infrastructure that is being relied on more than ever, so it’s worrisome that many organizations still don’t understand their responsibility in securing cloud data and workloads,” said Sophos’ principal research scientist Chester Wisniewski. “Cloud security is a shared responsibility, and organizations need to carefully manage and monitor cloud environments in order to stay one step ahead of determined attackers.”