While Australian organisations are quick to adopt IaaS—they’re not meeting security standards required in this new era of cloud security threats and an alarming amount of misconfigurations are going undetected.
McAfee has launched a report titled “Cloud Native: The Infrastructure-as-a-Service (IaaS) Adoption and Risk Report”, revealing enterprises are shockingly unaware of misconfiguration issues they face in the cloud – only 1% of these incidents are actually uncovered. This comes as cloud adoption is skyrocketing and enterprises report that 21% of data stored in the cloud is sensitive.
This year’s Capital One breach is the most obvious and impactful data breach as a result of cloud misconfigurations, which exposed the personal information of nearly 106 million of the bank’s customers and applicants.
Key findings from the report:
- Only 1% of misconfiguration incidents in enterprise infrastructure are known—companies claim they average 37 per month, when in reality they experience 3500
- Flip it around, and that’s 99% of misconfiguration incidents in public cloud environments that are going undetected, exposing companies to massive risk
- 40% of Australian companies show a lack of staff with the skills to secure IaaS
- 34% of Australian respondents said their organisation can correct an IaaS misconfiguration within days
- Out of these 3,500 monthly real-world misconfiguration incidents, 73% are eventually resolved, leaving 27% potentially vulnerable to attack
- Only 26% of businesses are equipped to audit for misconfigurations in IaaS
- Data loss prevention (DLP) incidents in IaaS increased 248% YoY
McAfee’s local cloud expert, Jonathan Andresen, Director, Marketing, Asia-Pacific & Japan – Cloud BU, comments on this report and what it means for cloud security in Australia, while highlighting the remaining issue of IaaS misconfiguration in the cloud:
“McAfee’s Cloud-Native: The Infrastructure-as-a-Service Adoption and Risk report highlights that both globally and in Australia, organisations are struggling to secure the cloud, particularly when it comes to misconfiguration and data loss prevention incidents.
According to Gartner, the rapid demand for cloud infrastructure-as-a-service (IaaS) makes it the fastest-growing market, almost doubling from $652 million in 2019 to $1.2 billion in 2022. In the race to adopt IaaS, organisations are overlooking the shared responsibility model, resulting in 99 percent of misconfiguration incidents in public cloud environments going undetected, which dangerously exposes them to data loss.
McAfee’s report revealed 40 percent of Australian companies show a lack of staff with the skills to secure IaaS. Without the adequate skills and competency required from security teams, sensitive customer data in the cloud will remain at constant risk. The report also cited that 34 percent of Australian respondents said their organisation can correct an IaaS misconfiguration within days. This leaves ample time for adversaries to scan and attack open ports or other vulnerable resources.
While only one percent of misconfiguration incidents in IaaS are known, it’s crucial that organisations work collaboratively to defend against a new era of cloud security threats. It’s recommended organisations build IaaS configuration auditing into the CI/CD process early on to minimise the volume of misconfigurations that make it to production and to protect their data while developers are working in pre-production. Further, to address the lack of skills required, organisations are urged to invest in cloud-native security tools and training for security teams alike.
Now more than ever before, it’s vital Australian organisations address their portion of the shared responsibility model to ensure the security of their data in the cloud, and the safety of their customers.”