Cloud misconfigurations make 90 percent of companies vulnerable
A large majority of companies that move to multi-cloud environments are not properly configuring their cloud-based services according to a new report from Aqua Security.
Over 12 months, Aqua's research team analysed anonymised cloud infrastructure data from hundreds of organizations. These were divided into SMBs and enterprises based on the volume of cloud resources they scanned.
The findings show that less than one percent of enterprise organizations fixed all detected issues while less than eight percent of SMBs fixed them all. More than 50 percent of all organizations receive alerts about misconfigured services with all ports open to the world, but only 68 percent of these issues are fixed, taking 24 days on average.
Large enterprises are taking an average of 88 days to address issues after discovery. In addition over 40 percent of users had at least one misconfigured Docker API, taking an average of 60 days to remediate.
"When you consider that a single cloud misconfiguration can expose organisations to severe cyber risk, such as data breaches, resource hijacking and denial of service attacks, the consequences of failing to address misconfiguration issues are all too real to ignore," says Assaf Morag, lead data analyst with Aqua's Team Nautilus.
The report also examines the mistakes that lead to five common types of cloud setting misconfigurations: storage (bucket/blob) misconfigurations, identity and access management (IAM) misconfigurations, data encryption issues, exploitable services behind open ports, and container technology exploitation.
"Cloud-native applications improve agility by giving more people access to define the environment, but we see many organizations move away from a centralized approach to security," adds Morag. "The traditional model of permitting only a small, highly skilled team of security practitioners to make all configuration changes has given way to a modern, decentralized approach. Development teams are making configuration decisions or applying services, and that can have dramatic implications for the security posture of an organisation's production environment."
You can get the full report from the Aqua Security site.