Friday, 22nd October 2021
Logo

Third of businesses suffered a serious cloud data breach or leak as hackers exploit misconfigurations

83% of respondents believe their organization is at risk, while 64% anticipate the problem escalating, or remaining the same, in next 12 months.

As cloud adoption accelerates and the scale of cloud environments grows, businesses are becoming increasingly exposed to risks, research from cloud security specialist Fugue and Sonatype - the leader in developer-friendly tools for software supply chain automation and security - has today revealed. 36% of organizations said they had suffered a serious cloud breach or leak in the past year alone, with the challenges exacerbated by rising costs to fix attacks. In addition, some 83% believe their company is vulnerable to a major data breach related to misconfiguration.

The survey of 300 cloud professionals (including cloud engineers; security engineers; DevOps; architects) also uncovered that 64% feel the problem will get worse, or remain unchanged over the next year. In addition, the findings revealed that teams are struggling to get a handle on an increasingly complex threat landscape, faced with resourcing challenges and skills gaps.

“This year’s survey reveals that the complexities and dynamism of at-scale cloud environments outpace the ability of teams to keep them secure,” said Josh Stella, co-founder and CEO of Fugue. “Engineering and security teams continue to ramp up the time and resources they invest in cloud security, but say they still lack the visibility and automation they need.”

Cloud misconfiguration mistakes: a major insider threat

The primary causes of cloud misconfiguration cited are too many APIs and interfaces to govern (32%), a lack of controls and oversight (31%), a lack of policy awareness (27%), and negligence (23%). 21% said they are not checking Infrastructure as Code (IaC) prior to deployment, and 20% aren’t adequately monitoring their cloud environment for misconfiguration.

“The adoption of IaC is a double-edged sword, it puts cloud infrastructure into the hands of developers, but also opens organizations to serious risk associated with misconfiguration.” said Matt Howard, Executive Vice President at Sonatype. “The survey results highlight the need to empower developers with advanced security guardrails and rapid feedback to ensure that cloud infrastructure is secure and complies with relevant regulations and defined policies.”

Cloud and infrastructure as code security is a people problem

Traditional security challenges play a significant role in cloud security, such as alert fatigue (cited by 21%) and false positives (27%), and human error (38%). The demand for cloud security expertise continues to outpace supply; 36% cite challenges in hiring and retaining the cloud security experts and 35% cite challenges sufficiently training their cloud teams on security.

Securing infrastructure as code and cloud environments is costly

The adoption of IaC presents cloud teams with the opportunity to check configurations pre-deployment, with half of the teams surveyed investing 50+ engineering hours per week on IaC security. They invest the same amount of time on securing running cloud environments.

Cloud security challenges and what professionals say they need

The lack of policies that work across the cloud development lifecycle (CDLC) from IaC through the runtime was cited as a significant issue, with 96% saying such a unified policy framework would be valuable. 47% said they need better visibility into their environments, and 43% said automated compliance audits and approvals would help.


Aligning with one of Gartner’s key trends for 2021 - Cybersecurity Mesh, - “a distributed architectu...
New Cloud Native Detection and Response (CNDR) uses a growing body of behavioural indicators from Aq...
Three-quarters rely on traditional VPNs for remote access while a third also use zero trust as part...
HPE will provide connectivity, security, and network design for the West Midlands event, delivering...
Trend Micro has revealed that global organizations have on average 29 security monitoring solutions...
AT&T is launching a managed Extended Detection and Response (XDR) offering. The AT&T Managed XDR sol...
5G Networks, a licensed telecommunications carrier operating across Australia, has chosen Corero for...
Vendor risk visibility and continuous third-party monitoring remains concerningly low despite height...