Gartner: “it is the user, not the cloud provider” who causes data breaches

Gartner’s recommendations on cloud computing strategy open the rightful discussion on the roles and responsibilities of different actors involved in cloud security. How many security and data breaches happen due to Cloud Service Providers (CSP) flaws, and how many of them are caused by CSP’s customers and human beings dealing with the cloud on a daily base? Gartner predicts that through 2025 99% of cloud security failures will be the customer’s fault. Such a prediction can only be based on the current numbers that obviously should demonstrate that the vast majority of breaches come due to CSP clients’ issues.

Among other reason, the first place is taken by data breaches coming from misconfiguration of the cloud environment and security flaws in software that were missed by DevOps and IT teams working in the cloud.

While the workloads and data keep moving to the cloud, DevOps and IT teams often lack the required skill sets to properly configure and maintain cloud-based software. The likelihood of an unintentional misconfiguration is increased because the majority of seasoned IT workers have significantly more expertise and training with on-premises security than they do with the cloud. While younger, less experienced workers may be more acclimated to publishing data to the cloud, they may not be as familiar with dealing with security, which might result in configuration errors.

Some of the team members have near heard of the Roles Based Access Control (RBAC) principle and will have real trouble working in the cloud like AWS being required to properly set up IAM users and IAM roles for each software component and service. These DevOps and IT engineers need to take intensive training to close the cloud security gap. Until it is done the enterprise will keep struggling from improper configuration, production failures and periodic security breaches.

Simple solutions like a firewall can add an additional degree of security for data and workloads, either for on-prem, hybrid, or pure cloud deployments. And yet, even simple things like that add another dimension of IT complexity and risk due to possible misconfiguration because of a human mistake or a vulnerable historical software package.