January 25, 2023

Last Updated on June 13, 2024

Over 90% of security breaches in the public cloud are caused by user error, not the cloud service provider (CSP). And according to Temi Adebambo, Head of Security Solutions Architecture at Amazon Web Services (AWS), the great majority of that great majority of cloud breaches and vulnerabilities fall into just two categories: identities and instance configurations.

Temi shared this insight and many others with host John Verry, Pivot Point Security CISO and Managing Partner, on a recent episode of The Virtual CISO Podcast.

The shared responsibility model
Temi frames the discussion by reminding us that public cloud security starts with a shared responsibility model.

“There’s a set of responsibilities for security that falls on the provider,” Temi explains. “Many times that’s everything below the OS—a good chunk of the networking, a good chunk of the hypervisor and the machines themselves. The responsibility of the customer is configuring their instances and their identities in the cloud, and how they’re keeping their data secure. And that’s where things start to fall apart.”

Because it’s so easy to spin up and proliferate new workloads in the cloud, orgs really need to pay attention to configurations so they aren’t open doors for hackers.

(Mis)managing identities
Identity management missteps create a huge number of cloud-based vulnerabilities.

“Some of the biggest falls in identity management are not following least privilege principles and having long-lived credentials,” Temi shares. “People have overly permissive identities, and they give them long-lived access to accounts. And it’s very common that some of those [identities], when they’re compromised, can then be used to access other resources.”

Offering open access

Most problems users have with configurations in the cloud are also simple and preventable.

“It’s just not blocking public access to resources,” Temi notes. “We’ve seen some exposures from not making things like X3 buckets and other storage locations private, or from having instances that are exposed to the internet. Those are very easy things to fix that you would probably identify quickly as well.”

What’s next?

To listen to this podcast episode with Temi Adebambo, click here.

Many CSPs are looking to shift the security burden off their users where possible. This blog post explains: The Cloud Security “Shared Responsibility” Model is Evolving

Is a penetration test really the service you need?

Without good Asset, Patch & Vulnerability management in place, a network penetration test could be a big waste of time and money.
Download the free inforgaphic now!