Orgs failing to secure data in the cloud, says report

snagfilms-a.akamaihd.netbroken-lock-9a650f352997c8891ce9d0e0eda392d7ffc0c37f-1.jpg

Millions of records containing personally identifiable and health information remain at risk because of poor encryption and network access control practices in public cloud computing environments, according to an analysis of 1 million cloud resources and 12 petabytes of network traffic by cloud infrastructure security company RedLock.

The report, “Cloud Infrastructure Security Trends,” was compiled by the RedLock Cloud Security Intelligence team of security analysts, data scientists and data engineers from organizations including Microsoft, Credit Suisse and Honeywell. Along with identifying issues, they made recommendations to mitigate compromise.

The RedLock CSI team found over 80 percent of databases they examined to have inadequate encryption, with over 30 percent accepting inbound connections from the Internet. Poor security practices and misconfigurations of cloud storage services left room for records exposure, indicating continuous configuration monitoring and reviewing traffic to ensure resources don’t communication with Internet services could aid compliance with best practices. 

Over half of the traffic the team observed was happening on port 80, the default web port that received unencrypted traffic, and over 90 percent of resources didn’t restrict outbound traffic. This suggests redirecting unencrypted web traffic using HSTS and implementing a “deny all” default outbound firewall policy is imperative.

A lack of multi-factor authentication, slow-to-rotate access keys and dormant but active user accounts introduce vectors for malicious actors. Policies to enforce MFA on all privileged accounts, to periodically rotate keys, disable inactive accounts and evaluate user behavior against established baselines can help cut off ways to compromise systems.

Not helping are developers without security training that rapidly adopt new technologies without considering security implications, as well as the number of organizations that fail to implement policies to observe Center for Internet Security benchmarks. Better guidance and monitoring of violations could remediate these issues. 

The entire report can be viewed on RedLock’s website.