Cloud security issues are creating a major opportunity for managed service providers (MSPs) as organizations of all sizes continue to struggle with the shared responsibility model that cloud service providers require customers to embrace.

A survey of 303 IT professionals conducted by Dimensional Research on behalf of CloudSphere, a cloud management platform provider, finds 32 percent of enterprises have experienced unauthorized access to cloud resources, with another 19 percent unaware if unauthorized access occurred.

Published this week, those survey results come on the heels of a report from Accurics, a provider of a tool that scan for cloud misconfiguration, that found nearly a quarter (23 percent) of all the security policy violations involved managed service offerings provided by Amazon Web Services (AWS), Microsoft and Google. Based on approximately 9,000 scans conducted by Accurics, the report finds the mean time to resolution (MTTR) for security policy violations was 24.9 days, with MTTR for production and pre-production environments spanning 21.8 and 31.2 days, respectively.

Similarly, the CloudSphere report finds 60 percent of respondents reporting the interval for correcting misconfiguration errors to be a month or longer.

Root of cloud security problem

The root cause of the cloud security problem points to the way cloud services are provisioned. Most cloud services are programmatically configured by developers. Unlike in on-premises IT environments where internal IT staff carefully check configuration before an application is deployed, the bulk of cloud applications are never checked by anyone other than the developer. This is done primarily in the name of expediency. Cybersecurity professionals, especially, are viewed as an impediment to IT agility.

Of course, IT organizations are supposed to have policies in place to prevent cloud services from being configured at will. The CloudSphere report makes it clear enforcing those policies is problematic. More than three quarters of respondents (78 percent) claim to enforce identify access management IAM) policies, with 80 percent of companies developing their own cloud governance policies internally.

More than half of respondents (53 percent) reported 100 or more individuals have cloud access across numerous internal and external teams. Nearly 72 percent said developers have cloud access, while 69 percent report DevOps teams have cloud access. A total of 41 percent also say consultants have cloud access, with 25 percent noting various partners also have cloud access.

Making matters even more complex, the CloudSphere report finds 85 percent of respondents are using different access tools for each cloud environment. Not surprisingly, nearly two thirds of respondents noted IAM solutions were not properly configured, with 56 percent admitting roles and access rights were improperly entered. Only 50 percent of respondents said they review access policies and privileges monthly.

The opportunity for MSPs is, naturally, to first find and fix misconfigurations faster than an internal IT team can. The second is to define and better enforce policies. Internal IT teams are clearly struggling with reining in developers that either don’t know how to securely configure a cloud service, or may simply think it’s job that belong to someone else. Regardless of who is accountable, the fact remains that many of the challenges organizations are having with cloud security these days come down to simple negligence that MSPs are in a better position to prevent.

Photo: Calin Tatu / Shutterstock

Mike Vizard

Posted by Mike Vizard

Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike blogs about emerging cloud technology for Smarter MSP.

One Comment

  1. Avatar

    […] that have access to those cloud services that are not directly employed by an organization is also considerably higher. It’s not uncommon for a wide range of consultants to have credentials that enable them to easily […]

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *