Cloud-Native: The Infrastructure-as-a-Service (IaaS) Adoption and Risk Report

Infrastructure-as-a-Service (IaaS) is used by organizations of all sizes as the new default IT environment to build and host internal and customer-facing applications. In the rush toward IaaS adoption, many organizations overlook the cloud shared-responsibility model and assume that security is taken care of completely by the cloud provider. At the end of the day, the security of what cloud customers put in the cloud, most importantly sensitive data, is their responsibility.

The Rise of Cloud-Native Breaches

Numerous “breaches” have occurred in IaaS environments, but they don’t look like your typical infiltrate-with-malware type of scheme. In most cases, the Cloud-Native Breach (CNB) is an opportunistic attack on data left open by errors in how the cloud environment was configured. Adversaries can exploit misconfigurations to escalate their privileges and access data using native functions of the cloud, instead of malware. In this study we asked 1,000 enterprises across 11 countries and multiple industries about misconfigurations, which have left millions of customer
records, intellectual property, and the like open to theft. We also analyzed our own customer use of IaaS through anonymized, aggregated event data across millions of cloud users and billions of events. Unfortunately for the state of cloud computing at this moment, we found that about 99% of misconfigurations go unnoticed by companies using IaaS. The enterprise companies we spoke to told us that they were aware of, on average, 37 misconfiguration incidents per month. Yet our real-world data shows that companies actually experience closer to 3,500 such incidents.

Practitioner-Leadership Disconnect

Awareness of misconfigurations is clearly an issue. But only 26% of our enterprise survey respondents said their current security tools could audit configurations in IaaS. We hypothesize that there is a practitionerleadership disconnect at work here. Ninety percent of companies told us they’d experienced some security issue in IaaS, misconfiguration or otherwise. But twice as many manager-level IT personnel—those closest to the IaaS environment—thought they’d never experienced an issue compared to what their CISO, CTO, and CIO leadership claimed. It’s possible the speed of cloud adoption is putting some practitioners behind. Infrastructure changes rapidly in the cloud, opening the door for mistakes as code is released in continuous integration/continuous delivery (CI/CD) practices. Security leaders should consider enabling their staff with the tools they need to keep up with security issues, especially the ability to audit their IaaS deployments for misconfiguration before they enter a production environment.

IaaS: The New “Shadow IT”

Keeping track of security incidents in IaaS is increasingly difficult when you operate in multiple cloud service provider (CSP) environments. There’s an interesting awareness trend here as well, similar to the “Shadow IT” we’ve seen for years with Software-as-a-Service (SaaS) applications being brought into the enterprise. Seventy six percent of our survey respondents told us they use multiple IaaS providers. Yet in our real-world data, we found that 92% actually do, up 18% year over year. Security incidents are almost guaranteed to go under the radar if companies don’t even know where all of their infrastructure lives.