View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
October 30, 2018

Misconfigured Clouds Spewing Sensitive Data, Warns McAfee

Five percent of AWS set to "world read" "Want to modify our S3 records? Have at it. Want to inject malicious code? Even better"

By jonathan chadwick

An increase in organisations’ use of cloud services to store sensitive information and a greater reliance on collaboration services for more effective working are posing a security risk, says a McAfee cloud report.

The cybersecurity company said it identifies 2,269 misconfiguration incidents per month, in which information is unwittingly made freely available.

The security firm analysed millions of events of anonymous customers for its Cloud Adoption and Risk Report. It found that 21 percent of all files in the cloud contain sensitive data, up 17 percent over the past two years.

McAfee said the risk of exposure increases with the need for improved fluidity between devices at work: “Collaboration means sharing, and that sharing can lead to the loss of our sensitive data.”

Sharing sensitive data with an open, publicly accessible link has increased by 23 percent over the past two years, McAfee said.

14 percent of cloud files containing data are shared to personal email addresses, and 12 percent to anyone with a link – two “red flags”.Mcafee cloud report

“Anyone using a corporate cloud account and sending data to a personal email address is invariably removing that data from any oversight by the information security team.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“Even worse however is data shared to anyone with an open link, potentially leading to uncontrollable sprawl of data to completely unknown individuals and organisations.

An average organisation generates more than 3.2 billion unique transactions in cloud services each month, such as user login, the uploading of files, or document editing.

Organisations also experience 12.2 incidents each month where an unauthorised third-party has used stolen account credentials to access corporate data stored in the cloud.

Enterprise vs Consumer Cloud at Work

McAfee revealed that an average company’s cloud use is made up 70 percent enterprise services and 30 percent consumer services – and the majority of consumer cloud use at work comes in the form of social media.McAfee cloud report

Office 365 is the top enterprise cloud service by user count, followed by Salesforce and Cisco WebEx.

365’s increased popularity has resulted in a larger increase in sensitive data flowing through cloud-based email – one of the easiest vectors for data loss.

In consumer, the top 10 consumer cloud services were Facebook, YouTube, Gmail, Twitter, LinkedIn, Apple iCloud, Google Drive, Dropbox, Skype, and WhatsApp.

Facebook is still the most commonly used social media app at work, followed by Twitter and LinkedIn.

5% of AWS Storage set to “World Read”

The McAfee cloud report also said enterprises using IaaS/PaaS have 14 misconfigured services running at any given time — resulting in an average of 2,269 misconfiguration incidents per month.

The report estimates that around 5.5 per cent of all AWS S3 storage instances are set to “world read”.

This means that anyone with the address of the S3 would be able to access the bucket’s contents.Mcafee cloud report

“On average, we see that enterprise organisations have at least 1 AWS 3S bucket set with ‘open write’ permissions, giving anyone in the world access to inject their own data into our environments.

“Want to modify our S3 records? Have at it. Want to inject malicious code? Even better. This one is an open book (literally), and needs to be checked and shut down both for the S3 buckets we own and the ones from third and fourth parties,” McAfee added.

Data use and Deletion

Over the 25,000 cloud services in use, only 8 percent meet McAfee’s data security and privacy requirements.

Only 37.3 percent of providers specify that customer data is owned by the customer — the rest either claim ownership over all data uploaded, or don’t specify.

13.3 percent of providers delete data immediately on account termination. The rest keep data up to one year.

Read more: Cloud security fears leave IT decision makers asking, ‘Who has access to my data, and why?’

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.