Fugue, the company automating security and compliance in the cloud, today released the results of its Cloud Infrastructure Misconfiguration Report. The survey of more than 300 IT professionals revealed that most enterprises are highly vulnerable to security events caused by cloud misconfiguration. Critical data breaches and system downtime events were among the many reported negative outcomes of misconfiguration.
The key finding: while 92 percent of IT and security professionals reported concerns about security risks due to misconfiguration, fewer than a third are continuously monitoring for misconfiguration. And while 82 percent reported security and compliance incidents due to cloud infrastructure misconfiguration, few enterprises have automated remediation processes that can prevent them.
“Our goal with this survey was to identify what actually matters to enterprises with regard to cloud misconfiguration, particularly when it comes to security, compliance and their bottom line,” said Phillip Merrick, CEO of Fugue. “While there are many high-profile cases of data breaches due to misconfiguration, there has been little information available regarding the frequency, the causes and the costs enterprises incur in an attempt to manage them and mitigate the risk they bring.”
Concern Is High But Continuous Monitoring Is Low
Just about every company surveyed registered concern about cloud misconfiguration, with 46 percent saying they were “highly concerned” and 46 percent being “somewhat concerned.” This level of concern has not yet translated into action, with only 28 percent reporting that they continuously monitor misconfiguration alerts.
While 51 percent of teams report a frequency of 50 or more misconfigurations daily, half of the teams surveyed only review alerts and remediate issues on a daily – or even longer – timeframe, leading to dangerously long infrastructure vulnerability periods. Very few believe their Mean Time to Remediation (MTTR) for cloud misconfigurations is where it should be to keep infrastructure secure and compliant.
Cloud Misconfiguration Leads to Major Security Problems
When asked if their organization had experienced security, compliance or operational issues resulting from a cloud misconfiguration, respondents reported a variety of negative events. Specifically:
-Critical data breaches: 27 percent -Object storage breaches: 34 percent -Unauthorized traffic to a virtual server instance: 36 percent -Unauthorized access to a database service: 34 percent -Unauthorized user logins: 29 percent -Unauthorized API calls: 28 percent -System downtime events: 44 percent
Managing Cloud Misconfiguration Has a High Cost
While the risk due to cloud misconfiguration is great, the burden of managing it soaks up valuable time and resources. The survey asked respondents to estimate how much time their teams devoted each week to managing misconfiguration, specifically on tasks such as reviewing alerts, identifying critical issues, remediating, producing reports, and auditing. Just under half reported spending from 50 to 500 (or more) hours of dedicated time.
Among the top causes of cloud misconfiguration cited were human error (64 percent), lack of policy awareness (54 percent), and challenges in governing multiple interfaces to cloud APIs (47 percent). And, while teams are often devoting the equivalent of at least one full-time engineer to managing cloud misconfiguration, 68 percent report delays in remediation critical issues, and 79 percent report that critical misconfiguration events are still being missed.
Full Survey Results
“By commissioning this survey, we’ve generated statistics and insights that haven’t been available anywhere else,” added Drew Wright, co-founder and vice president of communications at Fugue. “That’s good news for enterprises because the results show where they are likely to be deficient and where there may be opportunities to prevent potentially catastrophic security events related to cloud misconfiguration. Automated prevention allows organizations to move fast on cloud while staying secure and in compliance.”
The company collaborated with Propeller Insights to survey more than 300 IT and security professionals and produce insights into the risks and costs of cloud infrastructure misconfiguration. Titles surveyed included VP of cloud, CISO, VP of cloud security, cloud architect, application developer, IT operations, DevOps, and other related roles. Organizations surveyed have at least 500 employees, with 64 percent reporting using cloud at scale, and 93 percent concerned about maintaining compliance.
Fugue finds security risks and compliance violations in your cloud infrastructure and ensures they are never repeated. Fugue knows what is supposed to be running in your cloud environments, and, if any unauthorized changes are made, Fugue returns resources to a known-good state. The company has eight patents granted and 16 pending. Based in Maryland, Fugue’s investors include New Enterprise Associates, Future Fund, Maryland Venture Fund, and Core Capital Partners. Fugue is an AWS Advanced Technology Partner and a Launch Partner in the AWS Cloud Management Tools Competency Program in the Governance category. Gartner named Fugue a Cool Vendor in Cloud Computing 2017. To learn more about Fugue, visit www.fugue.co
Gabrielle Jasinski for Fugue