Skip to content
  • Fortra-Logo-TM-SkyBlue
  • File Sharing & DRM Blog
    • Digital Rights Management
    • Secure File Sharing & Compliance
    • Intellectual Property Protection
  • Partners
  • Company
    • About Us
    • Leadership
    • Careers
    • Contact Us
  • Support
  • Contact
  • Search
yH5BAEAAAAALAAAAAABAAEAAAIBRAA7
  • Why Vera?
  • Product
  • Solutions
    • By Industry
      • Manufacturing
      • Media & Entertainment
      • Financial Services
      • Venture Capital & PE
      • Technology
      • Healthcare
    • By Technology
      • DRM
      • Data Classification
      • DLP
      • Secure File Transfer
      • CASB
      • Office365
    • Column 3
  • Customers
  • Resources
  • Pricing
  • Book a Demo
    Book a Demo
Vera  »  File Sharing & DRM Blog  »  Secure File Sharing & Compliance   »   When Cloud Misconfiguration Risks Threaten Your Data
Back to File Sharing & DRM Blog
PrevPrevious Post
Next PostNext

When Cloud Misconfiguration Risks Threaten Your Data

  • February 6, 2020
  • Tamera Haney

Security concerns that were common in the nascent stages of cloud infrastructure are mostly a memory. Cloud adoption is now widespread and security for both public and private clouds has improved considerably. Even so, data in the cloud is unfortunately still vulnerable due to a different challenge – cloud misconfiguration.

Many recent instances of misconfigured clouds show data being exposed or breaches occurring in healthcare, finance, telecommunications, hospitality, technology―almost every sector is vulnerable. For example, last year’s high profile breaches at Capital One and Facebook resulted from misconfigured AWS S3 buckets (where objects are stored). Research released in September 2019 by McAfee noted that the “majority of IaaS misconfigurations go unnoticed… only 1% are reported, which may suggest countless companies are unwittingly leaking data.” 

One of the predominant reasons for this development is that most leading cloud providers maintain a “shared responsibility” model, wherein the provider bears responsibility for protecting its hardware and software infrastructure, but the customer bears responsibility for protecting the data that it puts there. The Oracle and KPMG Cloud Threat Report 2019 revealed that 90% of Chief Information Security Officers (CISOs) do not fully understand their team’s role in that shared responsibility model; although 49% said they expect to store the majority of their data in a public cloud by 2020. Well, here we are.

When deployment of cloud workloads (like IaaS, PaaS, SaaS, containers and serverless), and cloud security services (like networking, encryption, WAF and SIEM) are not automated, configurations are done manually, increasing the chances for human error. Default configurations can also cause problems. 

For example, the Box breach from March 2019 that left hundreds of thousands of sensitive documents exposed was actually the result of a default setting that was easily exploited by security researchers. While it worked exactly as designed, the Box deployment was misconfigured by users. Box has since changed those default settings. And, to its credit, AWS now proactively scans customer accounts to warn customers of any misconfigurations that may surface. 

Other common errors include insufficient access restrictions, not following internal security policies, and failing to audit resources. But while some may like to “blame the victim” for not adequately securing access to their data, even firms who are highly sophisticated and mature in their security approach can still get hacked―attackers these days are very resourceful. 

Consequently, protection needs to get down to the data itself. A variety of market solutions address file and content protection across various third party repositories. While most are well-suited to defending static data, protecting data in motion is equally important and must be factored into the solution. Given the extent to which data-sharing with third and even fourth parties is regularly practiced, one simply can’t anticipate where sensitive data might end up.

Further, protecting data in the cloud has to be approached as part of a robust ecosystem of security technologies, rather than as a vendor-specific or niche concern. Data-level defense needs to integrate with varying parts of a complex security infrastructure, readily working with other important components of the stack like data classification, data loss prevention and activity monitoring products.

VERA’s trusted architecture makes it easy for organizations to secure a variety of file types in the cloud, including any files that are accessed because of a misconfiguration. Our powerful platform protects structured and unstructured data through encryption, access control, and dynamic policy that dictates what users can and cannot do with the data – when they have authorized access and when they don’t. Easily integrating with existing business productivity, collaboration and security systems, VERA protects any file type, in the cloud or on-prem, keeping data secure, fully track-able and, most importantly, revocable.

Recent Posts

  • PII Compliance Checklist: How to Protect Private Data January 26, 2023
  • How to Prevent Third-Party Vendor Breaches January 17, 2023
  • How to Prevent Data Loss in 10 Different Ways December 19, 2022
  • The Complete Guide to Brand Protection December 15, 2022
  • Top Benefits of Cloud-Based Access Control November 30, 2022

Learn where DRM fits in your data protection strategy

Get started

Keep your most sensitive data in the right hands​

Schedule a demo
PrevPrevious Post
Next PostNext

Featured Blog

  • July 14, 2021
Heads up! New Canadian Data Privacy Act is Around the Corner
  • January 14, 2021
Enhancing Zero Trust beyond identity to data itself
  • January 14, 2021
How to Manage Data Risk in the Finance Function

News

Press

Events

Awards

File Sharing & DRM Blog

Digital Rights Management

Secure File Sharing & Compliance

Intellectual Property Protection

Follow Us

Twitter Linkedin-in Facebook-f Youtube
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners. Terms of Service |  Privacy Policy  |  Cookie Policy  | Contact Us