Don’t Rely on CASB – Cloud Misconfiguration Leads to More Breaches
With widespread adoption, security for both public and private clouds is much improved over the technology’s early days. Cloud Access Security Brokers (CASB) are popular tools to help secure organizations that are accessing public cloud applications. But a CASB provides only point-in-time, localized security that can’t prevent loss of control over cloud-based data after it’s been accessed. That increasingly happens through a different challenge – cloud misconfiguration.
Verizon’s 2020 Data Breach Investigations Report (DBIR) found that cloud misconfiguration errors are among the top 5 actions that cause breaches. Gabriel Basset, a Verizon senior information security data scientist, noted that the trend picked up considerably this year. Other research published by McAfee in September 2019 noted that the “majority of IaaS misconfigurations go unnoticed. Only 1% are reported, which may suggest countless companies unwittingly leak data.”
Yet while Verizon says cloud misconfigurations lead to more breaches than exploits, vulnerability scanning typically remains the bigger organizational security practice. That could be because many Chief Information Security Officers (CISOs) don’t fully understand their team’s role in the shared responsibility model that most leading cloud providers maintain. Providers must protect their hardware and software infrastructure, but customers must protect the data they put there.
How Cloud Misconfiguration Happens
When deployment of cloud workloads (like IaaS, PaaS, SaaS, containers and serverless), and cloud security services (like networking, encryption, WAF and SIEM) are not automated, configurations are done manually, increasing the chances for human error. Default configurations can also cause problems.
For example, the Box breach from March 2019 that left hundreds of thousands of sensitive documents exposed was actually the result of a default setting that was easily exploited by security researchers. While it worked exactly as designed, the Box deployment was misconfigured by users. Box security is improved since the company changed those default settings. To its credit, AWS now also proactively scans customer accounts to warn customers of any misconfigurations that may surface.
Other common errors include insufficient access restrictions, not following internal security policies, and failing to audit resources. But while some may like to “blame the victim” for not adequately securing access to their data, even firms who are highly sophisticated and mature in their security approach can still get hacked―attackers these days are very resourceful.
Taking Security to the Data Level
Consequently, protection needs to get down to the data itself. A variety of market solutions address file and content protection across various third party repositories. Most are well-suited to defending static data. But it’s equally important to factor protecting data in motion into the solution. Given the extent to which data-sharing with third parties happens, one simply can’t anticipate where sensitive data might end up.
Further, protecting data in the cloud must be approached as part of a robust ecosystem of security technologies, rather than as a vendor-specific or niche concern. Data-level defense needs to integrate with varying parts of a complex security infrastructure. It needs to readily work with other important stack components like data classification, data loss prevention and activity monitoring products.
Digital Guardian Secure Collaboration’s trusted architecture makes it easy for organizations to secure a variety of file types in the cloud. That includes any files that are accessed because of cloud misconfiguration. Our powerful platform protects structured and unstructured data through encryption, access control, and dynamic policy that dictates what users can and cannot do with the data – when they have authorized access and when they don’t.
Easily integrating with existing business productivity, collaboration and security systems, Digital Guardian Secure Collaboration protects any file type, in the cloud or on-prem. That includes encryption for files in commonly used platforms like Dropbox, Box and Google Drive. When a cloud misconfiguration happens, Digital Guardian Secure Collaboration lets you rest assured that your data is still secure, fully track-able and, most importantly, revocable – any time, anywhere.