CloudSphere published its report on cloud access control mishaps seeking to understand the prevalence and causes of unauthorized cloud access.
The cloud management and governance firm found that most organizations (81%) had multi-cloud environments but many were struggling to secure their cloud platforms because of visibility problems.
The survey, involving 303 IT professionals globally, found that many organizations suffered from a false sense of security with cloud-based access control and IAM policy enforcement.
Cloud access control is a major problem for many organizations
CloudSphere predicted that by 2025, almost all cloud security failures would be the customers’ fault. Similarly, CloudSphere says that 90% of organizations that failed to secure their cloud environments would leak their sensitive data.
“As cloud adoption accelerates, securing and governing multi-cloud environments is a top IT challenge facing enterprises,” CloudSphere tech evangelist Keith Neilson said. “This research highlights the immense cloud governance gaps enterprises experience that ultimately leave sensitive data vulnerable to breaches. It is critical enterprises adopt a unified approach to properly govern cloud access and protect enterprise data to avoid costly breaches and preserve trust.”
Unauthorized access rampant and unnoticeable than initially thought
CloudSphere says that most businesses experienced unauthorized access due to failed cloud access control policy. About a third (32%) said they experienced unauthorized access, while 19% were unsure if their cloud platforms were compromised.
More than half (53%) of organizations reported having more than 100, mostly unqualified employees, having cloud access.
Other entities with access include IT teams (93%), developers (72%), DevOps teams (69%), employees (58%), consultants (31%), ex-employees (40%), partners (27%), and other external entities including hackers and bots (38%).
The lack of visibility into users and groups with access to cloud platforms exacerbates the unauthorized access problem putting many organizations at risk.
The disparity between perceived and appropriately granted access was also to blame for unauthorized access, according to CloudSphere’s report.
Unlike physical access control mechanisms, it was difficult to audit which entities could access various cloud platforms. Additionally, cloud platforms could not be secured through traditional physical security control mechanisms like many inhouse systems.
Overdependence on cloud providers’ native access control tools and internal policies
CloudSphere discovered the overdependence on cloud providers’ native access control tools. The majority of respondents (85%) said they relied on cloud providers’ native cloud access control solutions, while more than half (57%) said they used multiple solutions.
Regardless of the cloud access control tools provider, 80% of companies develop their cloud governance policies internally, according to the report.
However, the use of multi-cloud environments made it impossible to implement standardized cloud access control tools, thus exposing many organizations to unauthorized access.
Most cloud access control policies unenforceable or misconfigured
Regardless of the source of the access control tools, most organizations indicated that their cloud platforms were misconfigured or unenforceable.
More than three-quarters (78%) said they could not enforce their Identity and Access Management (IAM) policies, while more than two-thirds (69%) said cloud access control enforcement issues led to unauthorized access.
Similarly, 63% said their IAM solutions were not properly configured, while 56% said the roles were not properly entered.
What’s more surprising is how long it took to correct misconfigurations. Three-quarters (60%) of the respondents reported that it took a month or more to correct configuration errors. Only half (50%) of the respondents said they reviewed access policies and privileges monthly.
Businesses risk millions through misconfigured cloud access control
About a third (30%) of the respondents said millions of records flow through their cloud infrastructure every month. With each stolen record costing about $146, organizations with misconfigured cloud platforms risk millions in losses.
While many organizations are experienced in configuring traditional access control on local servers, configuring cloud computing access control system from anywhere was a major challenge. Similarly, the dependence on native access control solutions in a multi-cloud platform set the organizations for failure.
Identity access and control management (IAM) inadequate for preventing unauthorized access
CloudSphere said that organizations should design, implement, and enforce IAM policies for their specific cloud environments. Organizations must also implement cloud access control that users cannot change to prevent unintended or inherited access control. This would prevent improperly entered or configured cloud access control permissions.
CloudSphere also recommended that organizations should be diligent in maintaining cloud policies and access rights. They should also invest in systems that provide real-time access rights alerts to avoid gross cloud access control misconfigurations.
