Before the pandemic forced thousands of employees to work from home and required employers to make network resources available to those remote workers, many employers were contemplating moving some of their data to cloud servers.
The reasons were clear: cloud-based services such as Amazon Web Services (AWS), Google Compute Platform, and Microsoft Azure offered agility and scalability, allowing organizations to quickly add new users and services as needed, not to mention the cost savings of a subscription versus maintaining their own physical infrastructure.
This rush to the cloud has resulted in several lapses in data security, including misconfiguration of the cloud services, a lack of understanding as to who is responsible for what, and simple poor internet hygiene.
According to the 2020 Cloud Threat Report from Oracle and KPMG, 51 percent of organizations reported that misconfigurations have led to compromise and exposure of sensitive data. This includes exposure of unencrypted data to the public internet without any required authentication; granting public access to storage buckets; improper creation of network functionality; allowing all system users access to exposed cloud-stored data; and storing encryption passwords and keys in open repositories, among other issues.
These issues point to the second problem. Knowing what the customer is responsible for and what the cloud service is responsible for continues to cause data exposure risks. For instance, both Amazon's infrastructure-as-a-service (IaaS) model and Microsoft's platform-as-a-service (PaaS) Azure model try to communicate the principle that they take care of the basics while the customer takes care of what is under their control. Thus, while AWS will ensure that S3buckets can only be accessed consistent with the policy governing their use, that policy is the customer's responsibility to set for the data stored there. Many customers have suffered data exposure because they failed to do their part to secure their data.
Finally, even if properly configured, data may be exposed due to poor password hygiene. According to Verizon's 2021 Data Breach Investigations Report, over 80 percent of data and privacy breaches are due to poor password practices. "Rethinking Cyber-Defense Strategies in the Public-Cloud Age" www.threatpost.com (Apr. 22, 2022).