Virtualization Technology News and Information
Mitigating Cloud Misconfiguration Risks to Your Data

By Ramon Peypoch, Senior Vice President of Products, VERA

The security concerns about cloud infrastructure that shadowed the technology from its nascent stages have largely dissipated as cloud adoption has spread and security has improved. While even public cloud infrastructure is now far more secure, data in the cloud is unfortunately still vulnerable due to a different challenge - misconfiguration.

There are many recent examples of misconfigured clouds that lead to data being exposed or breaches occurring - in healthcare, finance, telecommunications, hospitality, technology - really every sector is vulnerable. Check Point Software Technologies reports that "Following the 2018 trend, practices such as misconfiguration and poor management of cloud resources remained the most prominent threat to the cloud ecosystem in 2019 and, as a result, subjected cloud assets to a wide array of attacks."

One of the predominant reasons for this development is that most leading cloud providers maintain a "shared responsibility" model, wherein the provider bears responsibility for protecting its hardware and software infrastructure, but the customer bears responsibility for protecting the data that it puts into that cloud environment. Recent research published by Oracle revealed that 90% of Chief Information Security Officers (CISOs) do not fully understand their team's role in the shared responsibility model; although 49% of Oracle's respondents said they expect to store the majority of their data in a public cloud by 2020 - that's just around the corner.

When deployment of cloud workloads (like IaaS, PaaS, SaaS, containers and serverless), and cloud security services (like networking, encryption, WAF and SIEM) are not automated, configurations are done manually, increasing the chances for human error. Default configurations can also cause problems. For example, the Box breach from March 2019 that left hundreds of thousands of sensitive documents exposed was actually a default setting that was easily exploited by security researchers; while it worked exactly as designed, the Box deployment was misconfigured by users. Box has since changed those default settings.

Cloud service providers like AWS are not standing by idly waiting for solutions to take hold. Likely a result of the high profile misconfigurations that led to Capital One data breach, AWS has taken the proactive position of scanning customer accounts in an effort to warn customers of any misconfigurations it surfaces on these accounts.

Other common errors include insufficient access restrictions, not following internal security policies, and failing to audit resources. While some may like to "blame the victim" for not adequately securing access to their data, we have seen that even firms who are highly sophisticated and mature in their security approach can still get hacked - attackers these days are very resourceful. Consequently, protection needs to get down to the data itself.

There are a variety of market solutions that address file and content protection across various third party repositories. While most are well-suited to defending static data, protection for data in motion is equally important and must be factored into the solution. Given the extent to which data sharing with third and even fourth parties is regularly practiced, one simply can't anticipate where sensitive data might end up.

Further, protecting data in the cloud has to be approached as part of a robust ecosystem of security technologies, rather than as a vendor-specific or niche concern. Data-level defense needs to integrate with varying parts of a complex security infrastructure, readily working with other important components of the stack such as data classification, data loss prevention and activity monitoring products.


About the Author

Ramon J. Peypoch, SVP Products

Ramon Peypoch 

A proven leader in the security industry, Ramon leads VERA's product strategy, management and market delivery. Prior to VERA, he was part of the founding team of ProtectWise, Inc. (acquired by Verizon). Earlier he was Vice President, Web Protection at McAfee. With a track record of creating category-leading security products and companies, he has held executive product and business development positions at Proofpoint, Websense and Symantec. He serves as a Board Member for Abusix, Inc. (network abuse and threat mitigation), a Trustee of the Keys School in Palo Alto, CA and serves on the board of Palo Alto Girls Softball. Ramon holds a M.B.A. in Finance & Entrepreneurial Management from The Wharton School and a B.A. in World Politics and Spanish from Hamilton College.

Published Monday, October 14, 2019 7:17 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2019>