Cloud misconfigurations have cost organisations $5 trillion since 2018

Elasticsearch misconfigurations account for 44 percent of records exposed due to cloud misconfigurations in 2018 and 2019

Data breaches caused by cloud misconfigurations have cost organisations trillions of dollars and exposed billions of records since 2018, according to a report published by DivvyCloud, a supplier of security and compliance automation for cloud and container environments.

The US-based cloud security company revealed 33.4 billion records were exposed during 2018 and 2019, a rise of 80 percent. In total, these breaches cost organisations $5tn (when the number of records exposed is multiplied by the average cost per lost record, calculated by Ponemon Insitute at $150).

There is a strong upward trend in the number of records exposed by cloud misconfigurations. In 2018, 11.8 billion records were exposed with a total cost of $1.76 trillion. By 2019, that number rose to 21.2 billion exposed records, and the cost rose to $3.18 trillion. By comparison, the total size of the public cloud market was $182.4 billion in 2018 and $214.3 billion in 2019.

DivvyCloud said inexperienced users, outdated security models, lack of cloud visibility and the “unprecedented rate of scale and scope” of cloud adoption were behind the surge in cloud misconfiguration breaches. The company urged cloud users to shift to “a model of security that provides continuous controls and enforces secure configurations of cloud services”.

“As companies flock to the cloud for its speed and agility, they often fail to implement and enforce proper security,” reads the report. “Companies must adopt proper cloud security in order to protect this investment and prevent devastating costs associated with data breaches.”

It is likely that the total number of breaches caused by misconfigurations and their associated costs were far higher, as the scale of some breaches could not be determined and, according to a report from McAfee, 99 percent of all misconfigurations in the public cloud go unreported.

AWS services make up the bulk of the breaches evaluated. Elasticsearch misconfigurations accounted for 44 percent of the records exposed and was also the most common database breached across all platforms (20 percent). Meanwhile, S3 bucket misconfigurations were behind 16 percent of all of the breaches analysed (although S3 misconfigurations decreased 45 percent from 2018 to 2019). However DivvyCloud was quick to not point the finger at Amazon other cloud service providers, noting such breaches are almost always the customer’s fault.

Unsurprisingly, it is traditional companies transitioning to the cloud, rather than cloud-native companies, that have suffered the most. 68 percent of the companies that suffered a data breach caused by a cloud misconfiguration were founded prior to 2010, roughly when the tools required to be cloud-native became widely available. On the other hand, only 6.6 percent of these companies were founded in 2015 or later.

In terms of verticals, 41 percent of the companies breached were tech companies, followed by healthcare at 20 percent. Government agencies accounted for 10 percent of the breaches, followed by hospitality at 6 percent, finance at 6 percent, retail at 4 percent, education at 3 percent, business services at 3 percent, and other services at 7 percent.

In the foreword to the report, Anthony Johnson, former CISO at multiple Fortune 100 companies and managing partner at Delve Risk, described cloud misconfigurations as an “unsettling trend”.

“Frustratingly, the underlying issues that cause these breaches “misconfigurations” are often not complex. Meanwhile, consumers, regulators, and partners expect due diligence from the organizations entrusted with their data. Having an unprotected server is not an acceptable reason for a breach, nor is any other misconfiguration.”