Companies detect only 1% of IaaS misconfiguration incidents

Ninety per cent of companies said they have experienced a security issue while using infrastructure-as-a-service (IaaS), but a new report shows they may not be aware of just how many issues they’re facing.

In fact, McAfee’s IaaS adoption and risk report showed that, of the remaining 10%, information technology (IT) decision-makers were twice as likely to say they hadn’t had any security issues as C-level leaders.

Additionally, only 1% of IaaS misconfiguration incidents were detected — so while companies reported 37 misconfiguration incidents per month, McAfee found they’re more likely to face 3500.

As a result and with IaaS rapidly growing, McAfee Senior Vice President of Cloud Security Rajiv Gupta is calling on companies to take more responsibility for their security.

“In the rush toward IaaS adoption, many organisations overlook the shared responsibility model for the cloud and assume that security is taken care of completely by the cloud provider,” Gupta said.

“However, the security of what customers put in the cloud — most importantly, sensitive data — is their responsibility. To defend against the new era of cloud-native breaches, organisations need to use security tools that are cloud-native, purpose-built for cloud security and address their portion of the shared responsibility model.”

IaaS breaches are different to malware incidents in that they leverage native features of cloud infrastructure — including configuration errors — to land the attack before expanding to adjacent cloud instances and exfiltrating sensitive data, McAfee explained.

Currently, only 26% of companies are equipped to audit IaaS configurations, which, McAfee believes, accounts for the lack of visibility.

Furthermore, while 76% of companies said they use multiple IaaS providers, cloud usage data showed that actually, 92% do.

McAfee said that it’s possible that the speed of cloud adoption is putting some security practitioners behind, leaving them without the tools they need to detect and stop cloud-native breaches.

The research “sheds light on the need for security tools to keep up with IaaS-native issues, especially the ability to continuously audit IaaS deployments for initial misconfiguration and configuration drift over time”, McAfee concluded.

Image credit: ©stock.adobe.com/au/Payette Media House