Two recent breaches involving unsecured AWS storage became public knowledge in the last month. The first, of video editing application VEED.io, left potentially thousands of user videos accessible to anyone directly accessing them via their storage bucket's URL. The second, involving a company called Onlinevitalus, exposed more than 700,000 applications for birth certificate copies, containing information like users' date of birth. Breaches involving misconfigured permissions in cloud storage buckets are nothing new; what is new is a shift in tone of the coverage of these breaches away from them being a 'cloud data breach.' In both cases, it was stated in the media coverage that the companies that were cloud users were responsible for the permissions mishap.
The 451 Take
"People look at [cloud security] as different beasts, but it's really not. It's just a server somewhere else. It's understanding the lack of control. If you take Amazon as a great example, I would say that most people don't understand the shared security model that Amazon has.... Amazon has a huge document explaining it, but the question is: Does everyone read that, or do they just make assumptions?"
- IT/Engineering Managers and Staff, 10,000-49,999 employees, $10bn+ revenue, Real Estate
This is not for lack of trying on the part of the major cloud providers to educate their consumers – for example, both Microsoft and AWS have published shared responsibility models. For Microsoft it's a three-tier model that notes users are responsible for information and data, devices, and accounts and identities, while Microsoft is responsible for physical hosts, networks and datacenters. Other pieces, such as network controls, operating systems or applications, sit in a middle state between the customer and cloud provider, depending on the service being provided. AWS describes the difference in responsibility sets as 'security of the cloud,' which rests on it, versus 'security in the cloud,' which relies on customer decision-making. The security team at 451 Research predicted that this shared responsibility model would require a learning curve in its early discussions of a simplified concept called 'console security' – or the idea that it is the user, not the cloud provider, that is responsible for security 'from the console on up.'
"We are not using [Azure] to the extent that we want to use. We've been struggling in terms of making sure all the security parameters are taken care and there is enough guardrails in place, and that's been a lengthy process. So we have couple of apps, and we are working on some large initiatives that will be going live in the next quarter and next year."
- Senior Management, 100,000+ employees, $10bn+ revenue, Consumer Retail Products & Services
Shifting Perceptions toward Cloud Risk
Enterprise scale is not so much a predictor of attitude toward cloud risk as some might assume; in fact, the larger the organization, the more conservative its practices tend to be for this question. Among organizations with more than 10,000 employees, 48% limit hosted cloud to low-risk applications, while 35% say cloud can be used for anything. Only 9% of organizations at that scale lack a policy toward public clouds, so it's much more likely to have been considered at larger companies. To compare, 30% of organizations with 250-999 employees limit cloud usage, as do 24% of those with fewer than 250 employees.
The strongest predictor of attitude toward cloud risk is an organization's approach to technology adoption. Sixty-six percent (66%) of those that classify their organizations as 'early adopters' place no limitation on cloud usage. Thirty-eight percent (38%) of those that are 'pragmatic, but will act sooner rather than later' similarly will use cloud no matter the risk profile of the application. That's compared with 20% for those that rank their organizations as 'conservative,' and a similar 20% for those that consider their organizations 'skeptical' of new technology. If early adopters are seen as a bellwether, this is further indication that security is eroding as an inhibitor to cloud deployment.
Daniel Kennedy is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference.
Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation