News

Report: Cloud Security Mistakes Thrive in Knowledge Gaps

• By Gladys Rama
• 09/20/2021

Misconfigured cloud security settings are endemic among Amazon Web Services (AWS) customers -- and in the cloud in general. Such mistakes, which typically boil down to user error, can leave large volumes of data exposed to the general public and organizations in violation of compliance regulations.

Over the years, AWS has deployed multiple tools to its customers to help them avoid cloud misconfigurations. According to a recent study, however, the most critical tool against cloud data exposures is education.

VMware released the 2021 edition of "The State of Cloud Security Risk, Compliance, and Misconfigurations" report on Monday. Conducted by the Cloud Security Alliance (CSA) for VMware between May and June this year, the report surveyed over 1,000 IT professionals across the globe about the state of cloud security in their organizations. Most of them cited education -- or the lack of it -- as the primary cause for cloud misconfigurations, as well as the primary solution.

Lack of knowledge has a "trickle-down effect" on security, the report indicates. "It starts as a general barrier to implementing effective cloud security measures. This leads to misconfigurations, the primary cause of data breaches. But it's also preventing security teams from implementing a solution, such as autoremediation, which could supplement this knowledge and skills deficit."

To wit:

• "Lack of knowledge or expertise in cloud security best practices" was deemed by 62 percent of respondents to be the leading cause of cloud security misconfigurations.
• "Lack of skills and expertise" was cited by 59 percent as the leading barrier to solving security problems, followed closely by limited budget and staff.
• "Training and education" was the most common method to improve security used by 61 percent of respondents, followed by manual remediation and automated remediation.
• "Lack of expertise" was the biggest barrier to using auto-remediation techniques to fix cloud security issues, according to 56 percent of respondents.

"Scarcity of experienced cloud security professionals is no hidden secret in the industry. Often, in many companies, a single security professional is seen supporting hundreds of developers using public clouds," said Nikhil Girdhar, product marketing leader for cloud security solutions at VMware, said in a statement. "Additionally, with the onus of training the broader company on cloud security best practices often falling on central teams, shortage of cloud IT security experts can have an adverse cascading effect on a company's cloud security posture." 

Among the report's other findings, most respondents were "moderately satisfied" with the security solutions provided by their cloud vendors, from identity management to data loss prevention. About 79 percent of the respondents reported using Microsoft's Azure platform, 74 percent used AWS and 41 percent were Google Cloud customers. By and large, respondents were also "moderately confident" in their ability to defend against cloud security threats.

The full report from VMware can be accessed here with registration.