Cloud Misconfigurations: A Surging but Overlooked Threat


Enterprises are migrating their workloads to the cloud with the promise of lower costs, increased agility, and greater flexibility. But misconfigured cloud services are a fast-growing source of data breaches. Ameesh Divatia, co-founder and CEO of Baffle, shares some best practices to secure the data analytics pipeline and improve encryption techniques.

Misconfigured cloud services are one of the fastest-growing sources of data breaches today. The statistics are astounding. Misconfigured cloud databases are attacked 18 timesOpens a new window per day and within only hours of coming online. And the latest Verizon Data Breach Investigations ReportOpens a new window found more than 40% of all error-related breaches involved misconfigurations. 

Last year’s massive Capital One breach is an example of the latter to the tune of 100 million exposed customers. At the time, CapitalOne said they “fixed the configuration vulnerability.” But, as it turned out, someone had already stolen the data out of the AWS S3 buckets. And the company now faces an $80 million fine for “failing at security in the cloud.” This incident clearly illustrates that identifying issues after the data is stolen is of no use. 

Understand the Complexities

While the cloud simplifies many aspects of information infrastructure, especially provisioning, the configuration of security and access controls can be complicated and confusing. In AWS, for example, tools for assigning access permissions to S3 buckets and their content are awkward, complex, and still require significant, patient hands-on attention for security issues.

While it is difficult enough to navigate the security complexities of a single cloud service provider (CSP), Gartner’s researchOpens a new window found that 81 percent of organizations surveyed using more than one CSP. As a result, security becomes exponentially more difficult to manage. For example, CSPs have their own native security configurations, dashboard, and policies, and swapping between them is not as easy as flipping a switch. This complexity only makes it harder for humans — who can only be proficient in so many systems — to stay on top of security issues. 

Although there remains some confusionOpens a new window over who is responsible for security (the company is responsible for security in the cloud; the cloud provider is responsible for the security of the cloud), the greater risk is the litany of errors, intentional or otherwise, that can potentially emerge from employees — and increasingly, partners and suppliers — who access a company’s data. Organizations should look at cloud deployment and development processes at an operational level to understand what checks and balances exist to prevent security gaps.

Learn More: Will the Pandemic Shift Data From On-Prem To Public Cloud?

Secure the Data Analytics Pipeline

While most cloud-based infrastructure includes basic cybersecurity protection, it is not enough to stop most hackers because misconfigurations and a lack of access control can still result in a data breach. As companies settle into their new cloud-based realities, they will soon realize the need for a new approach to cloud data protection by securing the data analytics pipeline. This includes:

  • Discovery: You can’t protect what you can’t find. After finding data, typically from external sources, attach a policy that will define how to protect and process it. Look for specific data formats, such as the nine-digital social security style or credit card numbers, which follow a six or eight-digit issuer identification number.
  • Data masking: Data masking creates a one-way transformation by replacing sensitive content with dummy content should the data get compromised. It presents no threat of loss. This practice is common among companies that use cloud infrastructure for test and development, but it will soon be implemented into a more broad security practice at many companies to comply with privacy regulations.
  • Tokenization: Like data masking, tokenization takes data and replaces it with new, authentic-looking data as a decoy. This can fool a rogue access into believing that it is accessing real data but still allows data processing in applications with the correct key.
  • Improved encryption techniques: Improved encryption techniques secure the data at the record level and protect it by encrypting it not just at rest but also when in use, in memory, and in the search index without decrypting the data or breaking applications. 

It has been said that data’s endless value makes it “the new oil.” However, some would also assert that data is also the new asbestos: when carelessly handled, it can result in myriad problems that may be difficult to correct. To fully realize data’s potential, organizations should proactively secure data in a manner that reflects their specific needs and challenges and the types of data it stores.

Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!