Misconfiguration and Data Breaches
According to Gartner, by 2020, 95% of cloud security issues will be the result of misconfiguration or mistakes. A single misconfiguration can expose hundreds or thousands of systems or highly sensitive data to the public internet.
What may be described as a "data breach" is more often a cloud storage bucket containing sensitive data that is accidentally exposed to the internet. Many high profile breaches have raised interest in CSPM.
Here are a few examples of data breaches due to cloud misconfigurations.
Facebook member records exposed by an unsecured AWS S3 bucket
Voter records exposed in an AWS S3 configuration blunder in Chicago
Server leaks data from Fortune 100 companies: Ford, Netflix, and Capital One
The Shared Responsibility Model
Security is a shared responsibility between the cloud provider—such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform—and the customer. In this "shared responsibility model," the cloud vendor is responsible for “security of the cloud,” which includes all the infrastructure that runs cloud services. While the major cloud providers go to great lengths to secure the infrastructure of their environment, it is up to the customer to secure their use of the cloud services. The customer is responsible for “security in the cloud."
Despite this model, there remains confusion about the demarcation of responsibility between cloud providers and their customers. According to a Barracuda Networks survey of 550 IT decision makers, 64% of respondents claimed that their cloud provider should protect customer data in the cloud, which is clearly the customer’s responsibility according to the Shared Responsibility Model.
With modern businesses moving their data into the cloud, this dangerous disconnect between perception and reality can leave many businesses vulnerable. This is why, according to Gartner, through 2023 at least 99% of cloud security failures are the result of human mistakes.
CSPM offerings typically focus on identifying the following types of policy and security violations:
- Lack of encryption on databases or data storage.
- Lack of encryption on application traffic, especially that which involves sensitive data.
- Improper encryption key management such as not rotating keys regularly.
- Overly liberal account permissions.
- No multi-factor authentication enabled on critical system accounts.
- Misconfigured network connectivity, particularly overly permissive access rules or resources directly accessible from the internet.
- Data storage exposed directly to the internet.
- Logging is not turned on to monitor critical activities such as network flows, database access, or privileged user activity.