Cloud encryption rates are disastrously low, research

Come on in, the door's open

Research by security vendor Qualys has revealed that organisations are failing to use cloud security controls to a spectacular extent, leaving their data vulnerable to attack.

Qualys examined customer data across the "big three" cloud providers: Microsoft Azure, Google Cloud Platform and AWS. It found problems with how security controls are implemented and managed across all three.

Particularly problematic is the implementation of encryption, said senior security analyst - cloud security compliance, Atul Parmar, in a blog post.

"It is crucial to understand both how to set up encryption properly and that setting up encryption incorrectly can leave your data exposed to potential threats," Parmar wrote, noting that this is generally a standard feature provided by CSPs.

"Enabling encryption is often as easy as checking a box in your settings," he said. "It is surprising how often users overlook this simple yet essential security measure."

The report highlights extremely high failure rates in common encryption-related controls. For example, the encryption controls for MySQL Server in Microsoft Azure have a 90% failure rate, while 98% of instances of GCP's Compute Engine and storage services are not properly secured. In AWS, Qualys discovered a 71% failure rate in Lambda serverless encryption controls.

The blog post does not say what proportion of these failures were in production environments, neither does it lay out exactly what constitutes a failure, but the fact remains that misconfigured cloud services are a major source of vulnerabilities. Encryption should be by default.

Stories of unencrypted, web-facing cloud-based repositories being hacked are legion, with negligence the most common factor. In a famous example, the Equifax data breach in 2017 saw data of 148 million individuals compromised.

Just last week the Welsh Rugby Union (WRU) launched an investigation after a data breach from an exposed S3 bucket exposed nearly 70,000 members' personal information.

The Qualys researchers found that many basic security settings are being overlooked by operational staff. This could be due to a lack of security planning, unfamiliarity with the technology or lack of awareness about the risks.

"Cloud service providers like AWS, Azure and GCP are responsible for the security 'of the cloud' itself — the infrastructure, hardware, etc," said Parmar. "However, customers bear responsibility for the security 'in the cloud' — for safeguarding their sensitive data."

To address the issue, organisations should ensure they properly understand key management and server-side encryption practices.