Cloud security misconfiguration is one of the biggest contributors to data breaches today. Here’s why it’s such a risk, and how to reduce your business’s exposure.

Key Points:

  • Study after study has underscored the large and growing problem of misconfigurations in cloud security.
  • The rapid growth and increasing complexity of multicloud environments is compounding the problem.
  • The solutions aren’t easy either, requiring improvements across people, processes and technology.

With great power comes great responsibility. Cloud services have enabled companies to restructure operations for remote working, in a lasting change born of the pandemic. But too many businesses have been overlooking or mishandling the security settings on those services, exposing themselves to cyberattacks.

What Is a Cloud Misconfiguration?

A misconfiguration occurs when your settings on a cloud-related system, asset or tool fail to provide adequate security for your network and data. The problem is becoming more complicated as many companies use more than one cloud service for email, data storage, collaboration, customer relationship management and other functions. Typical misconfigurations include internet-exposed storage, a failure to set or update security configurations on common cloud platforms such as Microsoft 365, and the mismanagement of access privileges for data, applications, systems and services.

Cybercriminals can exploit such gaps and then readily move across your business’s network from one cloud service to another, to steal data or drop ransomware. In nearly all cloud security failures, “it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data,” according to Gartner, the market research firm.[1]

Why So Many Cloud Security Misconfigurations?

It’s hard for companies — particularly smaller ones — to manage the growing complexity of multiple cloud services and remote work. Their challenges in securing those services include:

  • Skills shortage: Nearly half of companies surveyed said their staff lacks cloud expertise, and about a third simply didn’t have enough staff to manage their cloud services, according to this year’s “State of Cloud Security” report from the Cloud Security Alliance (CSA).[2]
  • Time and money: Often, companies either can’t devote enough time or don’t have the budget to implement cloud security controls.
  • Lack of awareness: Many companies believe their cloud service providers cover their security needs by default, when it’s actually a shared responsibility that requires security measures by both parties. Or they don’t understand the implications their security measures may have for other requirements, such as data privacy compliance.
  • Pushback: Line-of-business employees and even senior management are known to push back on cumbersome security protocols, such as multifactor authentication, that they say disrupt their business processes and workflows.
  • Complex security tools: When cloud service providers offer add-on security features, they can be difficult to implement. The same can be true of third-party tools, especially when juggling multiple cloud services and security tools. Cloud service providers’ “continuous integration/continuous delivery” (CI/CD) practices for releasing features can open the door to more mistakes.
  • Shadow IT: Remote workers using unsanctioned cloud services as workarounds present an extreme risk of misconfiguration.
  • Lack of visibility and protection: Once an attack “lands” due to a misconfiguration, it can then expand unnoticed due to a lack of visibility and exfiltrate data, especially when data loss protection (DLP) tools are not present.[3]
  • Human error: Demands on security teams and systems administrators can lead them to take shortcuts or, simply, to make the wrong keystroke.

What’s the Impact of Cloud Misconfiguration?

“The more misconfigured you are, the more susceptible you are to data exfiltration and other styles of attack,” says Mimecast Senior Product Marketing Manager Andrew Williams. And the penalty can be harsh. “The impact is massive data breaches,” he says. “If we look at the top 10 data breaches that have taken place over the past six months, most of them are the result of a misconfiguration or a lack of the security basics in a cloud environment.”

Study after study underscores this large and growing problem, including:

  • Verizon’s authoritative “Data Breach Investigations Report” ranks misconfigurations in its top five patterns of breaches in 2021, behind social engineering, web application attacks and system intrusions.[4]
  • By one industry estimate, 65% of publicly disclosed security incidents in the cloud were the result of customer misconfigurations.[5]
  • Companies aren’t quite as hard on themselves, in the CSA’s survey. Yet, they still rank security misconfigurations neck-in-neck with “cloud provider issues” as the cause of security incidents. In some cases, breaches have led to finger pointing between cloud service providers and their customers regarding who was to blame.
  • Misconfigurations cost companies nearly $3.18 trillion worldwide in 2019, based on the estimated cost of lost data.[6]

How to Reduce Cloud Misconfigurations

Several steps are advised for reducing cloud misconfigurations and the attacks they invite, involving risk management, policies, processes, technology and people. Among them:

  • Risk management: Assess current security policies and configurations for gaps, either internally or with a vendor or consultant.
  • Policies and processes: Implement and enforce policies on cloud ownership, responsibility and risk acceptance, including central management and monitoring.
  • Technology: Introduce more security automation, visibility and data protection. Integrated tools are coming to market to ease some of the challenges of securing multicloud environments.
  • People: Address any skills gaps with training and certifications, whether from professional institutes or your vendors. Alternatively, work with managed security services providers.

The Bottom Line

Research shows that the misconfiguration of cloud security is one of the leading contributors to cyberattacks. Companies need to understand the causes, impacts and potential solutions to this large and growing problem.


[1]Is the Cloud Secure?,” Gartner

[2]State of Cloud Security,” Cloud Security Alliance

[3]The Infrastructure-as-a-Service Adoption and Risk Report,” McAfee

[4]Data Breach Investigations Report 2021,” Verizon

[5]Cloud Threat Report 2021,” Palo Alto Networks

[6]Cloud Misconfiguration Report,” Divvy

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

5 Types of Phishing Attacks to Watch For

Phishing comes in many forms, as fraudst…

Phishing comes in many forms, as fraudsters work across emai… Read More >

Mercedes Cardona

by Mercedes Cardona

Contributing Writer

Posted May 10, 2021

The Security Paradox: How Phishing Filters Can Make Your Organization …

Research finds that too little exposure …

Research finds that too little exposure to phishing emails c… Read More >

Dr. Matthew Canham

by Dr. Matthew Canham

Contributing Writer

Posted Mar 12, 2021

How to Manage Microsoft 365 Email Retention Policies

A comprehensive Microsoft 365 email rete…

A comprehensive Microsoft 365 email retention policy can red… Read More >

Sam Greengard

by Sam Greengard

Contributing Writer

Posted Apr 01, 2021