Biggest Cloud Security Threats are Self-Inflicted

As organizations of all sizes and across all industries continue migrating servers, applications and data to the cloud, cloud security remains a persistent and growing concern. Alert Logic sponsored the 2018 Cloud Security Spotlight, a cloud security report from Cybersecurity Insiders and Crowd Research Partners to learn more about the security concerns businesses are facing, and what the prevailing obstacles are to achieving better cloud security.

More than 570 cybersecurity and IT professionals were surveyed for the report in an effort to explore the state of cloud adoption and trends in security challenges and best practices. Respondents span a range of industries and company sizes, and include roles from security analysts, to IT managers and CISOs.

Cloud Security Issues

One of the things that stands out to me in the 2018 Cloud Security Spotlight report is that the biggest threats to cloud security are primarily self-inflicted and avoidable. The report states, “Misconfigurations of cloud platforms jumped to the number one spot in this year’s survey as the single biggest cloud security threat (62 percent). This is followed by unauthorized access through misuse of employee credentials and improper access controls (55 percent), and insecure interfaces/APIs (50 percent).”

According to survey participants, the biggest cloud security headaches are not cybercriminals or malicious exploits—they’re issues with simply trying to manage and monitor assets in the cloud. The report explains, “As more workloads move to the cloud, cybersecurity professionals are increasingly realizing the complications to protect these workloads. The top three security control challenges SOCs are struggling with our visibility into infrastructure security (43 percent), security compliance (38 percent), and setting consistent security policies across cloud and on-premises environments (35 percent).”

Legacy Cybersecurity Tools and Poor Visibility

A majority of those surveyed are either very concerned (38 percent) or extremely concerned (22 percent) about cloud security. Almost 20 percent admitted that their organization experienced a cloud-related security incident in the last year.

As I already mentioned above, though, the biggest threats to cloud security are not external attackers—they’re avoidable mistakes. Misconfiguration of the cloud platform, insecure APIs, and poor access management are all solvable problems. The problem is that they’re not problems that can be solved in the cloud using traditional or legacy security tools. You need to have comprehensive and consistent visibility into your cloud environment to identify and resolve issues in real-time.

recent blog post from Daniel Miessler noted, “Companies pay hundreds of thousands a year to keep snacks in the break rooms. They pay to send people to training and conferences that usually have very few tangible benefits. And we dump millions into marketing campaigns that we can’t tie to sales results. But pay 100K a year to have a list of what we’re actually defending? Nope. Too expensive. Wasteful, really.”

The title of Miessler’s post makes an excellent point that illustrates the essential problem facing most organizations when it comes to effective cloud security: “If You’re Not Doing Continuous Asset Management You’re Not Doing Security.” The logic applies to any IT environment, but it becomes exponentially more important and more challenging in a dynamic, rapidly-evolving cloud environment.

With the right cloud security solution, you can actively monitor to maintain an accurate inventory of the assets you have in the cloud, and identify configuration issues and policy violations as they happen. There are enough external threats out there—don’t shoot yourself in the foot by being your own biggest threat to cloud security.

The 2018 Cloud Security Spotlight contains a lot of other valuable insights and details. Click here to download the report and read it for yourself: 2018 Cloud Security Spotlight.

About the Author

Tony Bradley - Senior Manager of Content Marketing for Alert Logic

Tony Bradley

Tony Bradley is Senior Manager of Content Marketing for Alert Logic. Tony worked in the trenches as a network administrator and security consultant before shifting to the marketing and writing side of things. He is an 11-time Microsoft MVP in security and cloud and has been a CISSP-ISSAP since 2002. Tony has authored or co-authored a dozen books on IT and IT security topics, and is a prolific contributor to online media sites such as Forbes and He has established a reputation for effective content marketing, and building and engaging a community and social media audience.

Connect | Email Me | More Posts by Tony Bradley