On October 29, McAfee released its Cloud Adoption and Risk Report 2019. Beginning with the fact that 83 percent of organizations worldwide store sensitive data in the cloud, the Report first discussed the major sources of cloud data risk:
- Growth of Sensitive Data in the Cloud: Not only has the absolute number of files stored in the cloud “increased rapidly,” but “the percentage of files that contain sensitive data has also grown”: now at 21 percent, but with a dramatic increase of 17 percent over the last two years.
- Growth of Confidential Data: “Confidential data” now constitutes the largest share of all sensitive data in the cloud, at percent – an increase of 28 percent over the last two years..
- Growth of Email: 20 percent of all sensitive data in the cloud runs through email services such as Exchange Online in Office 365 – an increase of 59 percent in the past two years.
- Decline of PII: Personally Identifiable Information (PII) has declined by 20 percent year over year.
The Report next focused on the role of Amazon Web Services (AWS), stating that AWS
has been not-so-quietly driving the transformation of server and data center infrastructure to cloud-based services, classified as Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS – think serverless computing like AWS Lambda). Today, 65% of organizations around the world use some form of IaaS, 52% for PaaS.
With these important services, however, comes the risk of data theft. The Report sets out several critical findings about the relationship between misconfiguration and data theft:
- “[O]n average, enterprises using IaaS/PaaS have 14 misconfigured services running at any given time, resulting in an average of 2,269 misconfiguration incidents per month.”
- The top AWS misconfigurations include: (1) Certain data encryption not being turned on; (2) Unrestricted outbound access; (3) Access to resources not being provisioned using Identity and Access Management roles; (4) Misconfiguration of the Amazon Elastic Compute Cloud (EC2) security group port; (5) Misconfiguration of EC2 security group inbound access; (6) Discovery of unencrypted Amazon Machine Images; (7) Discovery of unused security groups; (8) Disabling of Amazon Virtual Private Cloud flow logs; (9) failure to enable multi-factor authentication for IAM users; and (10) failure to turn on Amazon S3 object storage bucket encryption.
- When organizations with which McAfee works “turn on Data Loss Prevention (DLP), they see an average of 1,527 DLP incidents in their IaaS/PaaS storage per month. That means they detected sensitive data that either shouldn’t be there, or that requires additional monitoring and security controls. All told, 27% of organizations using PaaS have experienced data theft from their cloud infrastructure.”
The Report also identified leading internal and external threats relating to cloud-stored corporate data:
- “The average enterprise organization experiences 31.3 cloud-related security threats each month, a 27.7% increase over [the] same period last year.” These include threats arising from potentially compromised accounts. insider threats, and privileged user threats:
- Compromised Accounts: “On average, organizations experience 12.2 incidents each month in which an unauthorized third-party exploits stolen account credentials to gain access to corporate data stored in a cloud service. These incidents affect 80.3% of organizations at least once a month. Additionally, 92% of companies have cloud credentials for sale on the Dark Web.”
- Insider Threats: “Organizations experience an average of 14.8 insider threat incidents each month, and 94.3% of organizations experience at least one per month on average.”
- Privileged User Threats: “Privileged user threats occur monthly at 58.2% of organizations, with organizations experiencing an average of 4.3 each month.”
The Report also identified several concerns relating to security controls for cloud service providers:
- “[G]iven the prevalence of data breaches caused by stolen credentials, it is alarming to find that only 19.2% of cloud services support multi-factor authentication.”
- “Due to the general lack of critical security controls across cloud services, employees will inevitably (and inadvertently) select risky cloud services to use.” The Report calculated that 173 of the 1,935 cloud services in use at the average organization (8.9 percent) rank as high risk services.
Finally, the Report summarized the results of a survey it conducted to find out how much respondents trusted their cloud providers to keep their organization’s data secure. Even though cloud security is a shared responsibility and no cloud provider “delivers 100% security,” 69 percent of the respondents said “that they trusted the cloud providers to keep their data secure,” and 12 percent of respondents claimed that the service provider is solely responsible for securing their data.
Note: Each of the key findings summarized above should be the focus of a sustained discussion between compliance officers concerned with cybersecurity and their information security counterparts. A number of the points of vulnerability, such as misconfigurations, can be addressed with relative ease. Failure to establish suitable robust internal controls for cloud security, and failure to understand that companies must play a significant role in maintaining cloud security, are issues that require more sustained attention, and not just at CCO or CISO levels. Corporate dependency on cloud services can only continue to increase in the next several years, which makes continued vigilance about cloud security all the more important.