7 min read

Misconfigurations, Poorly Managed Access Help Drive Data Breach Risks

George V. Hulme

June 20, 2020

Misconfigurations, Poorly Managed Access Help Drive Data Breach Risks

Enterprise digital transformations are making the jobs of enterprise security teams to properly manage and secure their environments even more challenging. After all, as digital transformations have rapidly increased the complexity of environments as technology teams strain to maintain existing systems, deploy new cloud services, manage IoT devices, and constantly develop and deploy more applications.  

And it’s that speed and complexity that has increased data security risks. A recent study conducted by IDC, on behalf of security vendor Ermetic, found that nearly 80% of the companies surveyed had experienced at least one cloud data breach in the past 18 months. And 43% of those respondents reported 10 or more breaches over that time period.

According to the 300 CISOs who participated in the survey, the following ranked highest as breach contributors: security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%), and identity and access management permission errors (61%). Likewise, 80% said that they can’t effectively manage excessive access data in their infrastructure- and platform-as-a-service environments.

“This is where things may get complicated,” the IDC Cloud Security Survey Highlights report states. “The flexibility of public cloud environments enables customers to provision resources with the click of a button, spin up containers based on dynamic scaling requirements, and more. A typical public cloud deployment can quickly turn into a vast maze of interconnected machines, users, applications, services, containers and microservices,” the report continues.

“Some of the most high-profile cybersecurity incidents in recent years were the direct result of customers failing to properly configure their cloud environments, or granting excessive or inappropriate access permissions to cloud services, rather than a failure of the cloud provider in fulfilling its responsibilities,” the report says. “For example, the Capital One breach in 2019 where 106 million credit card applications were exposed was the result of excessive permissions assigned to a WAF that were used by the attacker to gain access to a sensitive AWS S3 bucket,” it continues.

The cloud access survey also found:

  • 79% of companies experienced at least one cloud data breach in the past 18 months, and 43% said they had 10 or more
  • Top three cloud security threats are security misconfiguration of production environments (67%), lack of visibility into access in production environments (64%) and improper IAM and permission configurations (61%)
  • Top three cloud security priorities are compliance monitoring (78%), authorization and permission management (75%), and security configuration management (73%)
  • Top cloud access security priorities are maintaining confidentiality of sensitive data (67%), regulatory compliance (61%) and providing the right level of access (53%)
  • Top cloud access security challenges are insufficient personal/expertise (66%), integrating disparate security solutions (52%) and lack of solutions that can meet their needs (39%)

A full copy of the report is available here.

As part of the study commissioned by Ermetic, IDC surveyed 300 senior IT decision makers in the US across the Banking (12%), Insurance (10%), Healthcare (11%), Government (8%), Utilities (9%), Manufacturing (10%), Retail (9%), Media (11%), Software (10%) and Pharmaceutical (10%) sectors. Organizations ranged in size from 1,500 to more than 20,000 employees.

“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Shai Morag, CEO at Ermetic in a statement. “In fact, two thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”

While the report focuses heavily on identity risks, and keeping track of access policies and permissions for software and human identities, but other types of misconfigurations are just as dangerous. The recent 2020 Verizon Data Breach Investigations (DBIR) found stolen credentials to be the top hacking technique associated with data breaches incidents.

System misconfigurations are a regular fixture in data breaches, whether its leaving unnecessary features running or leaving databases publicly searchable. A survey from last summer found that 84 percent of respondents admitted that their organizations had a difficult time maintaining secure configurations, and nearly 20 percent said it was very difficult.

According to the BBC, Babylon Health issued a statement acknowledging the incident, and that the privacy violation was the result of a software gaffe. “This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly,” the BBC quoted.

While it may have been a software error and not a malicious attack, that’s of little import to anyone who has private medical information leaked.



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like