Researchers from the cloud security company DivvyCloud found that breaches caused by cloud misconfigurations cost companies worldwide an estimated $5 trillion in 2018 and 2019.
In the “2020 Cloud Misconfigurations Report,” DivvyCloud researchers studied all of the data breaches publicly reported between Jan. 1, 2018, and Dec. 31, 2019 across the globe, finding that 196 separate data breaches were identified as having been definitively caused primarily by cloud misconfigurations.
More than 33 billion records have been exposed over the last two years as thousands of companies move to cloud environments without the appropriate security systems in place.
“Data breaches caused by cloud misconfigurations have been dominating news headlines in recent years, and the vast majority of these incidents are avoidable,” said Brian Johnson, chief executive officer and co-founder of DivvyCloud.
Using data from a 2019 Ponemon Institute report that said the average cost per lost record globally is $150, DivvyCloud researchers estimated that cloud misconfiguration breaches cost companies upwards of $5 trillion over those two years.
“Breaches caused by cloud misconfigurations have been dominating news headlines in recent years. DivvyCloud researchers compiled this report to substantiate the growing trend of breaches caused by cloud misconfigurations, quantify their impact to companies and consumers around the world and identify factors that may increase the likelihood a company will suffer such a breach,” the report said.
“Year over year from 2018 to 2019, the number of records exposed by cloud misconfigurations rose by 80%, as did the total cost to companies associated with those lost records,” according to the report
Unfortunately, the report added, experts expect this upward trend to persist, as companies continue to adopt cloud services rapidly but fail to implement proper cloud security measures.
In 2018, it found, there were a total of 11.8 billion records exposed with a total cost of $1.76 trillion. By 2019, that number rose to 21.2 billion exposed records, and the cost rose to $3.18 trillion.
The severity of cloud misconfigurations could be even worse than the figures in the report suggest. The company’s researchers cited data from McAfee that said 99% of all misconfigurations in the public cloud go unreported.
The number of cloud misconfigurations-related breaches rose from 81 to 115 between 2018 and 2019 as more companies move systems and processes to cloud platforms. But the report draws links between the year companies were started and the severity or frequency of cloud misconfiguration breaches.
Nearly 70% of organizations that dealt with breaches were founded before 2010 while about 7% were companies inaugurated after 2015.
“These statistics indicate that older companies that are transitioning to the cloud are having a harder time implementing and continually enforcing proper security controls over their cloud environments when compared to younger companies ‘born in the cloud,'” the report said.
The causes of misconfigurations
The report said most of the cloud misconfigurations were caused either by inexperienced users or a failure to shift from outdated security models. Other reasons included in the report were a lack of unified cloud visibility as well as an unprecedented rate of change, scale and scope.
There are also now far more people within an organization using cloud systems, opening the infrastructure up with more attack surfaces.
According to the report, 40 people used to touch a cloud platform at any time and that number has ballooned to 3,000 people in today’s increasingly digitized environment.
The study also found correlations between cloud misconfiguration breaches and companies going through mergers and acquisitions, citing the Marriott/Starwood breach in 2018 as a prime example of how merging IT environments can sometimes lead to data breach due to cloud misconfigurations.
More than 40% of the companies studied in the report dealt with a merger and acquisition transaction between 2015 and 2019, with at least three of those organizations experiencing more than one cloud misconfiguration-related data breach.
The report also notes that there is precedent for data breaches causing problems for mergers, mentioning that Verizon reduced its acquisition offer for Yahoo by $350 million after its massive data breach made it into the news.
Of the 196 breaches examined by DivvyCloud researchers, 44% of all records exposed in 2018 and 2019 related back to problems with Elasticsearch misconfigurations.
“The number of breaches caused by Elasticsearch misconfigurations nearly tripled from 2018 to 2019. S3 bucket misconfigurations accounted for 16% of all breaches. S3 bucket misconfigurations decreased 45% from 2018 to 2019. MongoDB misconfigurations accounted for 12% of all breaches. MongoDB misconfiguration instances nearly doubled from 2018 to 2019,” the report said.
DivvyCloud researchers noted that according to Gartner, 99% of cloud security failures are the fault of the customer but most cloud misconfiguration breaches occurred with AWS services. Microsoft Azure, Google Cloud Platform and Kubernetes also had a number of cloud misconfiguration breaches.
Tech companies were dealing with the majority of breaches, with 41% of the incidents attributed to the industry, followed by healthcare companies at 20% and government entities at 10%. Enterprises in the hospitality, finance, retail, education and business all came in around 6%.
“These enterprises are failing to improve security, take control, and minimize risk as they embrace the dynamic self-service nature of public cloud and container infrastructure. As a result, they’re suffering data breaches, which are devastating not only their organizations, but the public as well,” the report said.
“More often than not, when a breach makes headlines, it’s the company that owns (or is entrusted with protecting) the exposed data whose reputation suffers, not the underlying cloud service provider. When it comes to security, there is a shared responsibility relationship between customer and cloud service provider.”
Prioritize from the beginning
The report suggests that any company or enterprise using cloud services needs to prioritize security from the beginning and continually update protocols to address changes in the market. Organizations, and not cloud providers, are responsible for handling access management, storage, threat analysis and defense of data that is stored within cloud systems.
Security needs to be a constant concern that is continually addressed instead of one that is dealt with once. Unfortunately, the report said data breaches caused by cloud misconfigurations will continue to be an issue as more companies adopt cloud services without recognizing the security necessary to protect themselves.
“We know that more and more companies are adopting public cloud quickly because they need its speed and agility to be competitive and innovative in today’s fast-paced business landscape,” Johnson said. “The problem is, many of these companies are failing to adopt a holistic approach to security, which opens them up to undue risk. Secure cloud configuration must be a dynamic and continuous process, and it must include automated remediation.”