Why you can’t ignore the security risks of cloud misconfiguration

Cloud misconfiguration refers to haphazardly putting sensitive data and other information resources into cloud environments without protecting their confidentiality, integrity, availability, or safety. This is quickly becoming the top cloud security risk, as Gartner predicts 99 percent of cloud breaches will be caused by customer misconfiguration or mistake. Common examples of these mistakes include poor access security like bad passwords, a lack of strong encryption, or failing to manage usage privileges across cloud apps.

In short, cloud misconfiguration is a data governance problem. Moreover, cloud misconfiguration becomes more severe if you allow your infrastructure of cloud services to sprawl. The more cloud services you use, the more your sensitive data is spread around and vulnerable to bad actors or data loss. This is not a warning to avoid adopting the right cloud services for the right job, but rather to have a specific policy for how you use these cloud resources—including who gets access and how.

Cloud misconfiguration is a real threat, but there are proven ways to mitigate it by organizing and securing cloud resources. Here are four leading practices to protect your data from cloud misconfiguration:

1. Classify your data—and who gets access—appropriately.
   Start by determining which data require which layers of cloud security. Some data may be useful to everyone in your organization and thus require widespread access; other sensitive data should only be available on a need-to-know basis. While this might seem like an obvious point, a common mistake is not having clear and consistent data lifecycle policies for all cloud workloads. Once IT has these lifecycle policies in place, it’s much easier to manage who can access and modify cloud infrastructure to keep data safe.
2. Understand your cloud app and API defaults to find security gaps.
   Make sure your IT team knows the default configurations for any cloud services or apps you adopt, as each cloud vendor has their own settings and SLAs. This makes it easier for you to identify potential security gaps in your cloud infrastructure and adopt policies or technology to address these misconfigurations. By establishing end-to-end visibility across your cloud security, you can also design the right audit provisions and reporting processes to quickly find anomalies before they turn into a data breach.
3. Develop a clear DevSecOps workflow.
   The foundation of a clear DevSecOps workflow is making sure your developers are continuously trained on cloud security. Even when writing test code or prototyping, developers must realize everything they do has security implications. User data gets de-anonymized all the time, so it’s vital you consider your security use cases up front so everyone knows how your system can be used and abused.
4. Minimize cloud complexity wherever possible.
   System complexity and compliance failures are top factors in amplifying the cost of a data breach. As you look for ways to minimize cloud complexity, work with IT to securely automate the process of deploying and delivering cloud workloads, as this enables you to define secure lifecycle policies and follow them by default. It’s also helpful to work with a set of established vendors that value interoperability and security instead of piecing together a complicated solution from multiple vendors. This unified approach will simplify your cloud workflows and help ensure cloud resources are provisioned and accessed securely.

In this hybrid work era, more and more of your distributed workforce is going to rely on cloud technology. This makes it especially crucial for you to take cloud security and cloud misconfiguration seriously during your IT modernization, as the pace of change is only going to accelerate. By adopting data governance policies designed for the cloud, you can empower your remote workers to be productive anywhere—while ensuring your data will be safe everywhere.