McAfee says cloud security not as bad as we feared… it's much worse

The average business has around 14 improperly configured IaaS instances running at any given time and roughly one in every 20 AWS S3 buckets are left wide open to the public internet.

These are among the grim figures rolled out Monday by researchers with McAfee, who say that security practice has not kept up with the rapid adoption of cloud services.

The security giant conducted a study using around 30 million events logged by its own cloud custoemrs and found that companies are not keeping proper track of the cloud services they use and, as a consequence, are not properly securing them.

According to McAfee, the average business uses around 1,900 cloud instances, but most of the companies they surveyed only thought they used around 30. It is no surprise, then, that many IaaS and PaaS accounts are not properly configured to limit what data can be accessed.

Among the worst was Amazon's AWS S3. The storage bucket service has seen an epidemic of data alerts from researchers who uncovered improperly configured instances that contained sensitive corporate and customer personal information.

McAfee's findings showed that, in fact, it's a wonder we haven't seen more of these breaches. The report estimates that around 5.5 per cent of all AWS S3 storage instances are set to "world read," meaning anyone who knows the address of the S3 bucket would be able to see its contents.

"Despite the news over the past few years with so many public incidents of data exposure in open S3 buckets, this common but serious misconfiguration remains stubbornly unmoving," the report notes.

The report also finds that personal accounts are also woefully insecure. McAfee found that 92 per cent of companies have one or more credentials for sale on cybercrime markets and events involving either a compromised account or insider threat have increased by nearly 28 per cent over the last year.

"The majority of threats to data in the cloud result from compromised accounts and insider threats," McAfee noted. "80 per cent of organizations are going to experience at least one comprised account threat in the cloud this month."

The recommendations for companies are fairly straightforward: McAfee says companies should audit their cloud service configurations and map out where sensitive data is being stored.

From there, it is simply a matter of setting and maintaining access controls on that data, both from external access and from possible insider threats and stolen accounts.

Easier said than done. ®