Aqua Security has published new research revealing that a significant majority of companies that move to multi-cloud environments are not properly configuring their cloud-based services.
According to new findings from Aqua’s “2021 Cloud Security Report: Cloud Configuration Risks Exposed”, these misconfigurations, for example, leaving bucket or blog storage open, can open companies up to critical security breaches.
“When you consider that a single cloud misconfiguration can expose organizations to severe cyber risk, such as data breaches, resource hijacking and denial of service attacks, the consequences of failing to address misconfiguration issues are all too real to ignore,” said Assaf Morag, Lead Data Analyst with Aqua’s Team Nautilus.
The research also notes that less than 1% of enterprise organizations fixed all detected issues while less than 8% of SMBs fixed all detected issues.
More than 50% of all organizations receive alerts about misconfigured services with all ports open to the world, but only 68% of these issues were fixed, taking 24 days on average.
“Cloud-native applications improve agility by giving more people access to define the environment, but we see many organizations move away from a centralized approach to security,” added Morag. “The traditional model of permitting only a small, highly skilled team of security practitioners to make all configuration changes has given way to a modern, decentralized approach. Development teams are making configuration decisions or applying services, and that can have dramatic implications for the security posture of an organization’s production environment.”
The report points to five common types of cloud setting misconfigurations: storage (bucket/blob) misconfigurations, identity and access management (IAM) misconfigurations, data encryption issues, exploitable services behind open ports, and container technology exploitation.
The report underscores the need for channel partners to proactively assist customers in managing these issues.