Companies using infrastructure and platform as a service offerings from IT firms have left themselves vulnerable as they on average misconfigured 14 instances.
This is according to cyber security firm McAfee who in its Cloud Adoption and Risk Report found that enterprises are still leaving services in misconfigured states, despite recent high-profile breaches due to misconfigured cloud storage.
The report found that over 20 percent of all files stored in the cloud contain sensitive data, while the amount of files with sensitive data shared in the cloud has increased by 53 percent year-on-year.
McAfee have found that over 5 percent of all AWS S3 storage buckets are set to a ‘world read’ permissions configuration.
Worryingly they also found that: “Enterprise organizations have at least 1 AWS S3 bucket set with “open write” permissions, giving anyone in the world access to inject their own data into our environments.”
“Not only that, but most organizations access 25 of these “open write” buckets from their corporate network, most often through a third party (take the case of someone reading a news site where the content being streamed comes from an S3 bucket mistakenly misconfigured to be “open write”). Open write is like a free-for-all to anyone trying compromise our organizations.”
Misconfigured Servers
The top ten ways in which McAfee researchers have found misconfigured services running on AWS are;
- EBS data encryption is not turned on.
- There’s unrestricted outbound access.
- Access to resources is not provisioned using IAM roles.
- EC2 security group port is misconfigured.
- EC2 security group inbound access is misconfigured.
- Unencrypted AMI discovered.
- Unused security groups discovered.
- VPC Flow logs are disabled.
- Multi-factor authentication is not enabled for IAM users.
- S3 bucket encryption is not turned on.
The report found that most organisations believe it is using about 30 cloud services, but McAfee found that the average organisation uses roughly closer to 1,900 unique cloud services.
John Noakes, Cloud Specialist, Insight UK commented to Computer Business Review that: “The very nature of the cloud means that it is easy for environments to sprawl out of control – and this report lays bare the real scale of the problem. Organisations might expect a small discrepancy between the number of cloud services they use, and the number they think they are using. But a difference of more than 6,000 percent should be cause for major alarm. To have any hope of controlling risk, organisations need to understand the risks they face, and take firm control of their cloud environments.
“This means having rigorous controls in place to govern how cloud services are purchased and managed, so that IT is not left unaware of the potential scale of any problem. It means following best practice with commissioning and configuring cloud infrastructure, so that data is not left wide open to the public. Part of the problem is that legacy tools, skills and processes aren’t fit for the cloud era, yet many organisations haven’t adapted. As a result they continue to continue to leave themselves wide open to unnecessary risk.”