Misconfigured Cloud Applications Are Putting Your Data At Risk

As more and more organisations continue to move their systems and applications to the cloud in 2023, cybercriminals everywhere hear the sound of opportunity knocking. They know that as they hunt for vulnerable systems, this increases their chances of coming across a cloud application that has been left exposed inadvertently due to misconfiguration.

The result: an open door to valuable company data including client and employee personal information, financial data, supplier agreements, et cetera. 

With cloud misconfiguration still being considered one of the biggest threats to cloud security, if not the biggest, organisations need to revisit their cloud adoption strategies and ensure their sensitive information is properly protected by prioritising cloud security.

Time To Ditch The Default

So, how do these misconfigurations occur in the first place?

There are all kinds of reasons. Some of these cloud applications are being rolled out to serve the needs of a specific department or team. Therefore, the priority is more on the business issue it is trying to resolve than the need to integrate and interact with internal systems and endpoints securely. So, to speed up the adoption and solve the issue for that department or team, the application is rolled-out with default settings which may seem sufficient at that time.

However, default settings tend to be too open and could be easily exploited by attackers. For instance, leaving a system account with a default password.

Another issue is the inconsistent approach to configuring cloud applications. Changes are made on an ad-hoc basis and not necessarily replicated across all applications and systems. This makes it more complicated when trying to fix configuration issues, and can expose data stored in these systems to breaches.

The lesson here? IT should be brought in early, even before any new cloud application is selected, to ensure the application is tested and meets the requirements of the configuration checklist defined by the organisation. A centralised approach is also necessary to ensure changes to configurations are carried out consistently across all cloud systems and properly documented.

Cloud Security Is A Shared Responsibility

The tendency to opt for default settings is closely intertwined with another important factor that can cause security gaps in cloud services: a lack of awareness that security is a responsibility shared by many parties - including the customer themselves. 

When it comes to cloud applications, there’s no such thing as “security that is 100% handled by the vendor.”

The service provider that provides the infrastructure - think here of Amazon Web Services (AWS), Microsoft Azure, or Google Cloud - is responsible for delivering a certain foundational level of security. On top of that service provider, the cloud vendor who delivers the specific application that the organisation is using, is responsible for another layer of security. But the final piece of the security puzzle is the customer.

Assuming that “it’s in the cloud, it must be protected”, it’s the wrong assumption. In fact, the customer needs to play a big part by determining which users get to access which data, what level of privileges should they have, and so on – the vendor can’t handle that aspect.

That’s why it’s critical for organisations to understand the Shared Responsibility Model, and for all key internal and external stakeholders to be clear about their roles and responsibilities.

Avoid The Gaps

Cloud adoption will only continue to gain momentum in the year ahead, which is all the more reason to ensure that cyber criminals aren’t provided with any low hanging fruit due to misconfigured cloud systems. Unfortunately, it is a matter of “when” and not “if” an organisation will be targeted by cyber criminals. So, preparation is key.

Auditing cloud applications and their configurations, as well as confirming that all parties are clear about their shared responsibilities can make a world of difference in ensuring that organisations are able to keep their sensitive data safe and out of the hands of bad actors.

Manuel Sanchez is an Information Security & Compliance Specialist at iManage

You Might Also Read: 

DMS Alerts Should Be Key To Organisations’ Security Orchestration:

 

« US Defense Contractors Don't Meet Basic Cyber Security Standards
Remote Work: Three Top Trends In 2023 »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigiCert

DigiCert

DigiCert is the only provider of enterprise-grade SSL, IoT and PKI solutions. Our certificates are trusted everywhere, millions of times every day, by companies across the globe.

FDM Group

FDM Group

FDM Group is an international Professional services company with a focus on IT. Services offered include Software Testing, and Information Security with a focus on operational security and compliance.

A-SIT Secure Information Technology Center

A-SIT Secure Information Technology Center

A-SIT was founded in 1999 as a registered nonprofit association and is established as a competence center for IT-Security.

Cyberteq

Cyberteq

Cyberteq is an innovative Information and Communication Technology Consulting Company, enabling it’s customers to take full advantage of the latest technologies in a secure manner.

NuSummit

NuSummit

NuSummit (formerly NSEIT) specializes in empowering financial services firms to navigate complex challenges with cutting-edge, technology-driven solutions.

GM Security Technologies

GM Security Technologies

GM Security Technologies provides leading managed security services of the highest quality to every type of individual and organization in Puerto Rico, Caribbean and Latin America.

Practical Assurance

Practical Assurance

Practical Assurance helps companies navigate the rough terrain of information security compliance.

Iron Bow Technologies

Iron Bow Technologies

Iron Bow Technologies is a leading IT solution provider dedicated to successfully transforming technology investments into business capabilities for government, commercial and healthcare clients.

Cyber Insurance Academy

Cyber Insurance Academy

Cyber Insurance Academy was founded to provide insurance professionals with the knowledge needed to work in cyber-insurance and cyber-related insurance fields.

Redpoint Security

Redpoint Security

Redpoint Security is an application security consulting firm that is focused on all aspects of code security.

Accops Systems

Accops Systems

Accops enables secure and instant remote access to business applications from any device and network, ensuring compliant enterprise mobility.

CCX Technologies

CCX Technologies

CCX Technologies design and develop a wide range of cybersecurity and testing solutions for the aviation, and military and government markets.

ITC Federal

ITC Federal

ITC Federal delivers IT cybersecurity assessment services to support agencies in meeting their security strategies and federal security compliance goals.

Xoriant

Xoriant

Xoriant is a technology leader and execution partner throughout the Build, Run and Transform lifecycle for companies that create and use technology products.

Hetz Ventures

Hetz Ventures

Hetz Ventures is a global-facing VC investing in highly talented and ambitious Israeli founders who operate at the cutting edge of deep technology.

Silent Circle

Silent Circle

Silent Circle is the leader in end-to-end enterprise solutions for secure mobile communications.