Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

McAfee says cloud security not as bad as we feared… it's much worse

Quick takeaway: most everyone sucks at IaaS

The average business has around 14 improperly configured IaaS instances running at any given time and roughly one in every 20 AWS S3 buckets are left wide open to the public internet.

These are among the grim figures rolled out Monday by researchers with McAfee, who say that security practice has not kept up with the rapid adoption of cloud services.

The security giant conducted a study using around 30 million events logged by its own cloud custoemrs and found that companies are not keeping proper track of the cloud services they use and, as a consequence, are not properly securing them.

According to McAfee, the average business uses around 1,900 cloud instances, but most of the companies they surveyed only thought they used around 30. It is no surprise, then, that many IaaS and PaaS accounts are not properly configured to limit what data can be accessed.

Among the worst was Amazon's AWS S3. The storage bucket service has seen an epidemic of data alerts from researchers who uncovered improperly configured instances that contained sensitive corporate and customer personal information.

McAfee's findings showed that, in fact, it's a wonder we haven't seen more of these breaches. The report estimates that around 5.5 per cent of all AWS S3 storage instances are set to "world read," meaning anyone who knows the address of the S3 bucket would be able to see its contents.

Oracle's Chatbot

Well, it is the Empire of enterprise IT... Oracle's Ellison plans 'Star Wars cyber defense' for his second-generation cloud

READ MORE

"Despite the news over the past few years with so many public incidents of data exposure in open S3 buckets, this common but serious misconfiguration remains stubbornly unmoving," the report notes.

The report also finds that personal accounts are also woefully insecure. McAfee found that 92 per cent of companies have one or more credentials for sale on cybercrime markets and events involving either a compromised account or insider threat have increased by nearly 28 per cent over the last year.

"The majority of threats to data in the cloud result from compromised accounts and insider threats," McAfee noted. "80 per cent of organizations are going to experience at least one comprised account threat in the cloud this month."

The recommendations for companies are fairly straightforward: McAfee says companies should audit their cloud service configurations and map out where sensitive data is being stored.

From there, it is simply a matter of setting and maintaining access controls on that data, both from external access and from possible insider threats and stolen accounts.

Easier said than done. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like