Security News > 2022 > April > Rethinking Cyber-Defense Strategies in the Public-Cloud Age
In a September 2021 report from the nonprofit Cloud Security Alliance, nearly 70 percent of respondents - comprising 1,090 IT and security professionals - reported that their company's cloud security, IT operations and developer teams are misaligned on security policies and/or enforcement strategies.
March 2021: The arts-and-crafts retailer Hobby Lobby left 138GB of sensitive customer information, source code for the company's app, and employee names and email addresses open to the public internet because of a cloud misconfiguration in its Amazon Web Services cloud database.
In 2020, the U.S. National Security Agency concluded that misconfiguration of cloud resources was the most common cloud cyberrisk.
As the NSA has explained in the past, public-cloud service providers often provide tools to help manage cloud configuration, and yet misconfiguration on the part of end customers "Remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services."
Another top blind spot in cloud security is lack of visibility, whether it's knowing exactly what data and workloads are in an organization's public cloud accounts or which cloud applications are being provisioned outside of IT teams' visibility.
1Password CEO Jeff Shiner also explained what can happen if, say, workers are using two popular cloud services: Airtable - a cloud collaboration service that offers the features of a database but applied to a spreadsheet - and the grammar-checking service Grammarly: "Say Carlos populates Airtable with customer data for his email campaigns, and Anita checks sensitive legal documents in Grammarly. Without thinking about it, they're sharing a lot of important data with external companies that IT doesn't even know about," Shiner suggested.