Misconfigured Cloud Applications Are Putting Your Data At Risk

Uploaded on 2022-12-13 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

As more and more organisations continue to move their systems and applications to the cloud in 2023, cybercriminals everywhere hear the sound of opportunity knocking. They know that as they hunt for vulnerable systems, this increases their chances of coming across a cloud application that has been left exposed inadvertently due to misconfiguration.

The result: an open door to valuable company data including client and employee personal information, financial data, supplier agreements, et cetera. 

With cloud misconfiguration still being considered one of the biggest threats to cloud security, if not the biggest, organisations need to revisit their cloud adoption strategies and ensure their sensitive information is properly protected by prioritising cloud security.

Time To Ditch The Default

So, how do these misconfigurations occur in the first place?

There are all kinds of reasons. Some of these cloud applications are being rolled out to serve the needs of a specific department or team. Therefore, the priority is more on the business issue it is trying to resolve than the need to integrate and interact with internal systems and endpoints securely. So, to speed up the adoption and solve the issue for that department or team, the application is rolled-out with default settings which may seem sufficient at that time.

However, default settings tend to be too open and could be easily exploited by attackers. For instance, leaving a system account with a default password.

Another issue is the inconsistent approach to configuring cloud applications. Changes are made on an ad-hoc basis and not necessarily replicated across all applications and systems. This makes it more complicated when trying to fix configuration issues, and can expose data stored in these systems to breaches.

The lesson here? IT should be brought in early, even before any new cloud application is selected, to ensure the application is tested and meets the requirements of the configuration checklist defined by the organisation. A centralised approach is also necessary to ensure changes to configurations are carried out consistently across all cloud systems and properly documented.

Cloud Security Is A Shared Responsibility

The tendency to opt for default settings is closely intertwined with another important factor that can cause security gaps in cloud services: a lack of awareness that security is a responsibility shared by many parties - including the customer themselves. 

When it comes to cloud applications, there’s no such thing as “security that is 100% handled by the vendor.”

The service provider that provides the infrastructure - think here of Amazon Web Services (AWS), Microsoft Azure, or Google Cloud - is responsible for delivering a certain foundational level of security. On top of that service provider, the cloud vendor who delivers the specific application that the organisation is using, is responsible for another layer of security. But the final piece of the security puzzle is the customer.

Assuming that “it’s in the cloud, it must be protected”, it’s the wrong assumption. In fact, the customer needs to play a big part by determining which users get to access which data, what level of privileges should they have, and so on – the vendor can’t handle that aspect.

That’s why it’s critical for organisations to understand the Shared Responsibility Model, and for all key internal and external stakeholders to be clear about their roles and responsibilities.

Avoid The Gaps

Cloud adoption will only continue to gain momentum in the year ahead, which is all the more reason to ensure that cyber criminals aren’t provided with any low hanging fruit due to misconfigured cloud systems. Unfortunately, it is a matter of “when” and not “if” an organisation will be targeted by cyber criminals. So, preparation is key.

Auditing cloud applications and their configurations, as well as confirming that all parties are clear about their shared responsibilities can make a world of difference in ensuring that organisations are able to keep their sensitive data safe and out of the hands of bad actors.

Manuel Sanchez is an Information Security & Compliance Specialist at iManage

You Might Also Read: 

DMS Alerts Should Be Key To Organisations’ Security Orchestration:

 

« US Defense Contractors Don't Meet Basic Cyber Security Standards
Remote Work: Three Top Trends In 2023 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

CCN-CERT

CCN-CERT

CCN-CERT is the Spanish national government computer security incident response centre.

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

Resolver

Resolver

Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of security risk and compliance events from occurring.

RiskIQ

RiskIQ

RiskIQ is the leader in digital threat management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

ALTR

ALTR

ALTR provide software-embedded solutions for data security and privacy.

Invest Ottawa

Invest Ottawa

The IO Accelerator Program is designed to rapidly and systematically accelerate the development and commercial success of high growth technology firms.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

InfoSystems Inc

InfoSystems Inc

InfoSystems provides reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations.

RegScale

RegScale

RegScale helps organizations comply in real-time with multiple compliance requirements (NIST, CMMC, ISO, SOX, etc), scalable to meet the needs of the entire enterprise.

MDSec

MDSec

MDSec is a consultancy with a passion for information security. Our consultants specialise in application, mobile and hardware security and targeted red team attacks.

Pristine InfoSolutions

Pristine InfoSolutions

Pristine InfoSolutions is a global IT services and Information Security Company focused on delivering smart, next-generation business solutions.

CybersCool Defcon

CybersCool Defcon

CybersCool is committed to educate and train, re-skill and up-skill the current workforce of various industries and businesses in the knowledge and know-how of cybersecurity.

Prime Technology Services

Prime Technology Services

Prime Tech are a group of Red Hat, Microsoft & Cisco Certified IT Professionals with an impressive track record of consistently delivering value to our corporate clients.

Excite Cyber

Excite Cyber

Excite Technology Services (formerly Cipherpoint) is focused on improving the security posture of our customers.

Tracer

Tracer

Tracer is a next-generation brand protection solution. It constantly finds, analyzes, and stops brand abuse across Web2 and Web3 digital channels.