Over the last decade I have met with many companies looking at making their move to the cloud and the most common issue has always been security. For the first 6 or 7 years, most companies believed they were better than the cloud vendors. Lately, that tune has changed and almost all companies seem to acknowledge that the biggest cloud vendors are more secure. When you look closely at how Amazon, Google, and Microsoft run and operate their clouds, these vendors provide a level of security that almost no other company could match on-premises.
But, does this create a false sense of security in how we setup and operate systems in the cloud? Based on this study from SkyHigh Networks it suggests companies do have a false sense of security in the cloud. Many of these security issues identified are simple misconfigurations or maybe not fully understanding how a service operates in a secure manner. But a simple mistake in something like your core storage service could leave millions of customer records open for grabs.
The major cloud vendors have all moved to enabling additional security by default in most cases, but some services that have been running for longer could still be vulnerable. The important lesson here is that just because the cloud vendor is secure doesn't mean your own data and apps are secure. We still need to follow best practices, make sure the settings are implemented correctly, and consider using security services to help watch and review what has been done to avoid these kind of issues.
A recent study by SkyHigh Networks found 7 percent of all Amazon S3 servers are exposed which may explain a recent surge of data leaks in the last few months including the information on 198 million American voters, 14 million Verizon customers, and several Viacom networks to name a few.