Enterprises Report False Sense of Security with Cloud Access Control and IAM Policy Enforcement, According to New CloudSphere Report
CloudSphere today announced the findings of its new report “In the Dark: Why Enterprise Blind Spots are Leaving Sensitive Enterprise Data Vulnerable to Breaches,” conducted by Dimensional Research. Report findings revealed that 32% of enterprises experienced unauthorized access to cloud resources, and another 19% were unaware if unauthorized access occurred. This was found to be largely driven by poor enforcement of identity and access management (IAM) policies in the cloud.
“As cloud adoption accelerates, securing and governing multicloud environments is a top IT challenge facing enterprises”
CloudSphere, which provides cloud governance solutions, commissioned the report surveying 303 IT professionals from around the world. The research aimed to understand current cloud infrastructure access, governance, and management practices and why and how often unauthorized access occurs.
“As cloud adoption accelerates, securing and governing multicloud environments is a top IT challenge facing enterprises,” said Keith Neilson, technical evangelist for CloudSphere. “This research highlights the immense cloud governance gaps enterprises experience that ultimately leave sensitive data vulnerable to breaches. It is critical enterprises adopt a unified approach to properly govern cloud access and protect enterprise data to avoid costly breaches and preserve trust.”
Perception vs. reality: Lack of IAM policy enforcement leads to unauthorized access
Due to the complex nature of cloud environments, having visibility into which users have access to data and resources is increasingly difficult. Particularly troubling is the disparity between the enterprise’s perception of secure access control and the reality of policy enforcement failures. Research found that while 78% claimed to be able to enforce IAM policies, 69% reported policy enforcement issues created unauthorized access.
Highlighting just how crucial it is for enterprises to improve IAM policy enforcement, 30% of respondents reported millions of records flow through their cloud solutions each month, and with the cost of each lost or stolen data record averaging $146, businesses are risking hundreds of millions of dollars in losses due to unauthorized access. Unauthorized access included ex-employees, hackers, external consultants and partners, which highlights the lack of context and controls for authorized and defined users and groups within cloud environments. Results point to a clear lack of visibility and monitoring for unauthorized or misplaced access, which ultimately threatens an organization’s security.
Enterprises are taking on this challenge alone and failing with 80% of companies developing their own cloud governance policies internally. Despite having policies in place, the lack of enforcement ultimately leads to unauthorized access and the risk of costly breaches of sensitive data, damaging company trust and valuation.
Cloud access across teams puts data at risk
In addition, 53% of companies reported 100 or more individuals have cloud access across numerous internal and external teams, the majority of which have no security specific expertise. For example, 72% say developers have cloud access, and 69% say DevOps teams have cloud access. This large number of users with minimal security expertise increases the potential for error, and mistakes become inevitable when trying to control access to cloud resources. Also, 41% say consultants have cloud access, and 25% say partners have cloud access. Access by these parties from outside of the organization puts data at even greater risk.
Why IAM solutions fail
Gartner found that 81% of organizations use a multicloud approach and as public cloud providers’ IAM tools typically can’t expand beyond their own platform, it is increasingly difficult to implement a standardized IAM solution across all cloud platforms. The CloudSphere research report found that 85% of companies utilize different cloud provider access tools for each environment, and more than half (57%) of companies use numerous cloud IAM tools to govern their multicloud environments. Manual errors are also a leading reason why IAM solutions fail, as 63% noted IAM solutions were not properly configured, and 56% said roles and access rights were improperly entered.
Cloud misconfigurations are common, and unauthorized access isn’t always noticed
Unauthorized access often goes unnoticed, and misconfigurations are common. CloudSphere’s survey findings echoed this claim:
- 60% report that the interval before correcting misconfiguration errors was monthly or longer
- Only 50% indicate they review access policies and privileges on a monthly basis.
The need for cloud policy upkeep
The report’s findings on misconfigurations and unauthorized access allude to a disparity between the enterprise’s perception of granted access being appropriately configured and applied and the reality that events, hacks, and unauthorized access occur at a high rate. These findings highlight the need for enterprises to be diligent and persistent in the upkeep of cloud policies and access rights.
The research also shows that there is a lack of functional automation and functional alerting to ensure a proactive approach that prevents unauthorized access from occurring.