- Companies miss 99% of infrastructure as a service (IaaS) misconfigurations, according to McAfee research, which surveyed 1,000 IT professionals about misconfigurations. The security firm also included analysis of its customers' IaaS environments.
- Contributing to the problem, only 26% of companies have tools required to properly audit IaaS configurations, McAfee found.
- Configuration becomes more complex as companies adopt multicloud environments. While three-quarters of respondents say they use multiple IaaS providers, in reality that number is 92%, according to McAfee.
The increased adoption of cloud technology is making it easier for configuration errors to creep in. Part of the concern is there is a disconnect between how many misconfiguration errors companies think they have, and the reality.
In some cases, companies aren't even aware of the number of IaaS providers they have.
Survey respondents say they have 37 misconfiguration incidents in IaaS environment every month, but McAfee data indicates that number is closer to 3,500. While 73% of those misconfigurations are eventually resolved, 27% remain vulnerable, according to the research.
While thousands of incidents seems glaring, 60% of respondents say misconfigurations are resolved within hours, according to McAfee. Just 2% of those surveyed say incidents are resolved "within months."
Cloud configuration errors have received much attention in recent months, as companies look to Capital One's data breach as an example of what can go wrong in an IaaS environment. Critique arose about the company's cloud-first strategy and many questioned the cloud's security.
Companies miss configurations frequently, but it is not their burden to shoulder alone. In cloud environments, vendors follow a shared security model where customers are responsible for security "in" the cloud, while vendors ensure physical infrastructure remains secure.
But even Amazon Web Services has said it can do more. Following the Capital One incident, AWS says it is working to further support customer security scanning customer builds for misconfigurations.