Cloud Misconfiguration – Don’t Get Caught Out

22 Jan 2019

Migrating to the cloud has revolutionised the systems and processes of thousands – if not millions – of businesses, and because it has become the ‘new normal’, employees aren’t thinking twice about what data they store and share.

According to Ian Barker writing for betanews, ‘Sharing sensitive data in the cloud has increased by 53% year-on-year’ but he goes on to say that ‘Businesses that don’t adopt a cloud strategy that includes data loss protection, configuration audits and collaboration controls, will endanger the security of their data while exposing themselves to increased risk.’

Don’t just take his word for it, there are actual facts to back it up…

  • 22% of cloud users share files externally (up 21% year-on-year)
  • Sharing sensitive data with an open, publicly accessible link has increased by 23%
  • Sensitive data sent to a personal email address has increased by 12%
  • Threat events in the cloud, such as a compromised accounts, privileged users, or insider threats, have increased by almost 28%
  • 80% of all organisations experience at least one compromised account threat per month

And the clincher:

  • 92% of those organisations have stolen cloud credentials for sale on the dark web

The thing is, it’s not just small companies who can’t afford to have cloud security specialists on the payroll. It’s the big players, according to doublehorn.com:

  • 198m voter records were exposed after conservative data firm Deep Root Analytics left a cloud storage server unsecured
  • Nice Systems, a contractor of telecom giant Verizon, leaked over 6m records of Verizon customers and their contact with Verizon customer service
  • Alteryx suffered a data leak involving 123m of the United States’ estimated 126 million households with information including names, addresses, ethnicity and mortgage status. This information was originally in the care of credit reporting agency Experian, as well as the US Census Bureau
  • LocalBox, which made headlines for its controversial scraping of publicly-accessible social media data to build detailed profiles of millions of individuals, left 48m people’s records on a misconfigured storage server

 

What Do You Mean By ‘Misconfiguration’?

 

Well, just that. Not configured properly.

It’s human error. It usually occurs when the IT guys who are accustomed to local infrastructure try and recreate their local solutions in the cloud, oblivious to the fact that the particular cloud provider they’re using has a very specific set of features.

Here are some common errors:

Logging
It might be a tired cliché but it’s true – prevention is better than cure. Knowing when something has gone wrong is half the battle and with enterprises new to the cloud, it’s worth taking advantages of the built-in logging features.

They offer real-time updates, error notifications and other vital information that help you to not only identify issues as they manifest themselves but to respond to them faster and with more accuracy than guessing what the problem might be.

Access Restrictions
One of the most common mistakes IT departments make when setting up cloud services is to start with it wide open and then as the network builds up, restrict access. This is simple laziness where they can’t be bothered to enter credentials and manage logins from the start.

Do it this way and you are effectively inviting anyone with a web browser and big cojones to access, download and even write to a cloud account.

Not to labour the point but in 2017, almost eight billion data documents were compromised and this type of backdoor entry can, in the most extreme cases, allow hackers to inject malicious code into your systems and then extort money, usually in the form of Bitcoin, from you.

Permission Controls
Giving widespread access to the network to everyone in the company regardless of what permissions they actually need is asking for trouble and will create a series of weak points. It’s worth taking advice on this but a rule of thumb is to start everyone with zero permissions and add them on an ‘as-needed’ basis.

 

Experience Counts…

 

Misconfigure your server and you’re inviting trouble where it’s most certainly not welcome. The average cost per record for leaked customer data is around £110, rising to £350 for medical records and in most cases the difference between a huge and costly data breach and a secure cloud server is knowing where to look and what to do.

The cloud can be rock solid but our advice is to take advice from people who know what they’re taking about, for example, us.

 

Should I Analyse Our Risk of Cloud Misconfiguration?

 

Yes, you absolutely should and since you’ve asked, Netskope offer a full infrastructure risk assessment and you can download the PDF of how it works here.

Contact us and we can ensure you’re as secure as you should be, not as secure as you think you are…

For more information about how to avoid a massive and potentially catastrophic data breach, email us today on info@koncisesolutions.com or call 020 7078 0789.

 

Koncise Solutions

 

 

Go Back