A lack of in-depth knowledge exhibited by some in-house IT teams coupled with an overreliance on manual change processes is leading businesses to jeopardise the security of their cloud deployments. That’s the considered opinion of service provider Claranet.
The warning follows the launch of a report published by McAfee, which finds that the average business has approximately 14 improperly configured IaaS instances running at any given time, while roughly one in every 20 AWS S3 buckets are left wide open to the public Internet.
Additionally, researchers estimate that roughly 5.5% of all AWS S3 storage instances are in a “world read” setting, thereby allowing anyone who knows the address of the S3 bucket to view its contents.
Commenting on the findings, Steve Smith (senior site reliability engineer and AWS Team lead at Claranet) said: “The cloud security challenges highlighted in this report have little to do with the platform itself, but everything to do with the people using it. In our experience, people are the biggest weakness here. The major cloud providers like AWS set a lot of sensible defaults designed to support configuration – for example, S3 buckets are now private by default – but, unfortunately, it’s very easy to make mistakes if you don’t know how to use the platform correctly.”
Smith continued: “We’ve seen many AWS configurations that end user businesses have developed themselves or have worked up with partners that don’t have the right experience, and, frankly, those configurations can be all over the place. When internal IT teams create these environments themselves, mistakes can occur when they don’t have the depth of knowledge or experience to follow Best Practice.”