McAfee-2019年云计算普及和风险报告（英文）-2019.5-20页.pdf

REPORTCloud Adoption and Risk Report2019REPORT2Cloud Adoption and Risk ReportThrough analysis of billions of anonymized cloud events across a broad set of enterprise organizations*,we can determine the current state of how the cloud is truly being used,and where our risk lies.Consider that nearly a quarter of data in the cloud is sensitive,and that sharing of sensitive data in the cloud has increased 53%year-over-year.If we dont appropriately control access and protect our data from threats,we put our enterprises at risk.IaaS/PaaS providers like AWS are increasing the productivity of our developers and making our organizations extraordinarily agile.However organizations on average have at least 14 misconfigured IaaS instances running at any given time,resulting in an average of 2,269 misconfiguration incidents per month.Prominently,5.5%of all AWS S3 buckets in use are misconfigured to be publicly readable.We can see the risk of immediate and grand-scale loss of data starting to grow with these trends.We need to get the basics right,or face losing the opportunity for business acceleration before the gas pedal can hit the floor.The majority of threats to data in the cloud result from compromised accounts and insider threats.80%of organizations are going to experience at least 1 compromised account threat in the cloud this month.92%currently have stolen cloud credentials for sale on the Dark Web.Cloud Adoption and Risk ReportExecutive Summary Cloud services bring a momentous opportunity to accelerate business through their ability to quickly scale,allow us to be agile with our resources,and provide new opportunities for collaboration.As we all take advantage of the cloud,theres one thing we cant forgetour data.When using software-as-a-service(SaaS)we are responsible for the security of our data,and need to ensure it is accessed appropriately.When using infrastructure-as-a-service(IaaS)or platform-as-a-service(PaaS),we are additionally responsible for the security of our workloads,and need to ensure the underlying application and infrastructure components are not misconfigured.Connect With Us2019*Many of the data points we cite in this report are determined by enterprise policy.For example,classifications of“sensitive data”are set by the organizations in our study,not McAfee.Our visibility is limited to the results of that policy,not the actual data.3Cloud Adoption and Risk ReportREPORTFortunately,the cloud is still bringing more opportunities than threats.Cloud use is extremely broad,with most organizations using approximately 1,935 cloud services,up 15%year-over-year.Unfortunately,most think they only use 30.Key Findings 21%of all files in the cloud contain sensitive data,up 17%over the past two years.The amount of files with sensitive data shared in the cloud has increased 53%YoY.Sharing sensitive data with an open,publicly accessible link has increased by 23%over the past two years.94%of IaaS/PaaS use is in AWS,but 78%of organizations using IaaS/PaaS use both AWS and Azure.Enterprise organizations have an average of 14 misconfigured IaaS/PaaS instances running at one time,resulting in an average of 2,269 individual misconfiguration incidents per month.5.5%of AWS S3 buckets have world read permissions,making them open to the public.The average organization generates over 3.2 billion events per month in the cloud,of which 3,217 are anomalous,and 31.3 are actual threat events.Threat events in the cloud,promised account,privileged user,or insider threat have increased 27.7%YoY.80%of all organizations experience at least 1 compromised account threat per month.92%of all organizations have stolen cloud credentials for sale on the Dark Web.Threats in Office 365 have grown by 63%in the last two years.The average organization uses 1,935 unique cloud services,an increase of 15%from last year.Most organizations think they use about 30.REPORT4Cloud Adoption and Risk ReportTable of Contents5 Breaking Down Sources of Cloud Data Risk 7 When Sharing Isnt CaringCloud Collaboration as a Blessing and a Curse8 You Can Bet Your IaaS is Misconfigured So Dont Forget the Basics10 Internal and External Threats11 Compromised accounts11 Insider threats11 Privileged user threats12 Cloud threat funnel12 Cloud Usage Trends13 Average number of services14 Native security controls vary by provider15 The top cloud services15 Top 10 enterprise cloud services16 Top 10 collaboration and file sharing services16 Top 10 consumer cloud services17 Top 10 social media services17 Perception vs RealityTotal Cloud Services18 Perception vs Reality“Over Trusting”Cloud Services to Keep Data Secure5Cloud Adoption and Risk ReportREPORTBreaking Down Sources of Cloud Data RiskThe use of cloud services is ubiquitousweve seen this rise over the past decade to the point where many of our organizations couldnt function today without the cloud.Critical to this growth is the understanding that data,and most importantly sensitive data,now lives in the cloud and must be protected.In our last survey on cloud adoption in mid-2018,we found that 83%of organizations worldwide store sensitive data in the cloud.1 Even as the absolute number of files stored in the cloud has increased rapidly,the percentage of files that contain sensitive data has also grown,today standing at 21%with an increase of 17%over the past two years.So not only do most organizations place trust in their public cloud service providers to store their sensitive data,nearly a quarter of all data in the cloud meets the need for stringent protection.Lets get specific and look at the categories classified as sensitive data here:Figure 1.Types of sensitive data in the cloud.Not surprisingly,the classification of“confidential data”takes the largest share of all sensitive data in the cloud at 27%.More interesting is the increase in trustthe total amount of confidential data stored in the cloud rose 28%over the past two years.During that time,weve seen services like Box and Microsoft Office 365 rise in popularity,concurrently carrying with them the shift of corporate data to the cloud.Figure 2.Confidential data in the cloudpercentage of total data in the cloud.of all files in the cloud contain sensitive data.21%27%Confidential20%Email17%Password protected16%Pll12%Payment9%PHIPercentage of total data in the cloud3.00%3.50%4.00%4.50%5.00%5.50%6.00%2016201720184.4%5.6%5.64%6Cloud Adoption and Risk ReportREPORTSpecifically,with the rise in popularity of Office 365,we see an even larger increase in sensitive data flowing through cloud-based email,primarily Exchange Online.Today,20%of all sensitive data in the cloud runs through email services like Exchange Online in Office 365,a volume which has increased 59%in the past two years.Email remains one of the easiest vectors for data loss,and moving it to the cloud removes visibility for IT teams that could once monitor SMTP traffic on their own servers.Well see a few more trends related to data flowing through email in the next sectionbut for now the growth and inherent loss of visibility remain significant on their own.Figure 3.Sensitive data in cloud-based emailpercentage of total data in the cloud.Lets look at the rest of the sensitive data types we evaluated for additional insight:Figure 4.Sensitive data types in the cloudpercentage of total data in the cloud.The first insight we can take from the remaining data types is a sharp decline of-20%YoY in Personally Identifiable Information(PII)in the cloud,which could be a result of several trends.For one,the proportion of cloud use in corporate environments is increasingly for business,as opposed to personal use.Many cloud services,such as Dropbox,came into the enterprise as consumer services and quickly transitioned to business use cases as their utility became apparent.Another cause could be end-user diligence,keeping PII out of the cloud as a result of security awareness.We may need to give our end-users the benefit of the doubt on this one.Next,we see gradual increases in personal healthcare information(PHI)and password protected data,at Percentage of total data in the cloud2.00%2.50%3.00%3.50%4.00%4.50%5.00%2016201720182.7%4.1%4.3%Percentage of total data in the cloud1.00%2.00%3.00%3.50%5.50%6.00%1.50%2.50%4.00%4.50%5.00%ConfidentialEmailPassowordprotectedPllPaymentPHI2016201720187Cloud Adoption and Risk ReportREPORT16%and 13%respectively over the past two years.While healthcare information accounts for only 9%of all sensitive data in the cloud,it is encouraging to see trust increase for this highly regulated industry.Lastly,payment data remains stable at approximately 12%of all sensitive data in the cloud on an annual basis.What we take away from this breakdown is the increase in trust to store broad categories of sensitive information in the cloud.As the proportion of our data shifts from servers we own to services we use,so does the potential risk.Its critical that we understand what goes into the cloud,so we can protect it with that growing proportion of risk in mind.When Sharing isnt CaringCloud Collaboration as a Blessing and a CurseOur data lives in the cloud,and as we learned,nearly a quarter of it requires protection to limit our risk.However,the risk of exposure is counter to one of the key tenets of many cloud servicescollaboration.Cloud storage services like Box,or productivity suites like Office 365 are used to increase the fluidity of collaboration.But of course,collaboration means sharing,and that sharing can lead to the loss of our sensitive data.Looking at global cloud use today,we see that 22%of cloud users actively share files in the cloud and 48%of all files in the cloud are eventually shared.Both are on the rise.The number of active sharing cloud users is up 33%over the past two years,and total files shared is also up 12%over the same period.Figure 5.Percentage of cloud users who share files.Figure 6.Percentage of files shared in the cloud.16%17%18%21%19%20%201623%22%2017201816.76%18.45%22.3%40%41%42%46%43%45%201648%47%2017201844%49%43.1%46.6%48.3%8Cloud Adoption and Risk ReportREPORTIf the 48%of files being shared were limited to party invites and pet photos wed have a much easier time managing our cloud risk.There are two areas that we need to draw our attention to here:what kind of data is being shared,and where its going.Lets start with where:Figure 7.Where cloud files are shared.Two categories immediately raise red flags:personal email addresses,and anyone with a link.Anyone using a corporate cloud account and sending data to a personal email address is invariably removing that data from any oversight by the information security team.Even worse however is data shared to anyone with an open link,potentially leading to uncontrollable sprawl of data to completely unknown individuals and organizations.Once a file in a service like Box or OneDrive is set to open access by“anyone with a link”,that is essentially like running a web hosting service for the world,letting anyone hit that link and have the data.Now of course the heart of the risk lies in the content of whats being shared,and where its going.Currently 8%of all files shared in the cloud contain sensitive data.Over the past two years,files shared with sensitive data to“anyone with a link”have risen 23%,files sent to a personal email address are up 12%,and those shared with business partners up 10%.Its imperative to understand and control how sensitive data is being shared to reduce risk while maintaining business acceleration through the use of the cloud.You Can Bet Your IaaS is MisconfiguredSo Dont Forget the BasicsData doesnt just live in SaaS applications like Salesforce or Office 365.Amazon Web Services(AWS)has been not-so-quietly driving the transformation of server and data center infrastructure to cloud-based services,classified as Infrastructure-as-a-Service(IaaS)and Platform-as-a-Service(PaaS think serverless computing like AWS Lambda).Today,65%of organizations around the world use some form of IaaS,52%for PaaS.1The draw is undeniable.Servers are expensive to buy and maintain,not to mention slow to roll out.IaaS and PaaS erase those problems,giving IT teams the option to spin up VMs,containers,or functions-as-a-service at will.The ability to rapidly scale and the boost in agility are far too compelling to ignore.Naturally,this isnt just the AWS show.Microsoft has Azure,and Google their Cloud Platform(GCP),among others.The market dynamic is interesting here on two fronts,one of which especially has implications for IT strategy.First,when we look at IaaS/PaaS usage 62%Business partners14%Personal emailaddresses12%Other12%Anyone with a link94%AWS4%Azure1%GCPFigure 8.Usage share for IaaS.9Cloud Adoption and Risk ReportREPORTworldwide,AWS absolutely leads the pack with 94%of all access events,leaving 3.7%for Azure and 1.3%for GCP.However,78%of organizations are currently using both AWS and Azure together,typically as an official multicloud strategy.So,AWS is used the most,but in the vast majority of organizations,employees have Azure accounts too.The implication here comes down to visibility and management.When our infrastructure runs in two or more providers,much like using multiple SaaS apps,do we have consistent security across them?Figure 9.Multicloud vs single cloud.In our research we found that on average,enterprises using IaaS/PaaS have 14 misconfigured services running at any given time,resulting in an average of 2,269 misconfiguration incidents per month.Here are the top 10 AWS misconfigurations we see:1.EBS data encryption is not turned on.2.Theres unrestricted outbound access.3.Access to resources is not provisioned using IAM roles.4.EC2 security group port is misconfigured.5.EC2 security group inbound access is misconfigured.6.Unencrypted AMI discovered.7.Unused security groups discovered.8.VPC Flow logs are disabled.9.Multi-factor authentication is not enabled for IAM users.10.S3 bucket encryption is not turned on.Misconfiguration“sounds”bad on its own,but why should we really care?Again,it comes down to the data.When organizations we work with turn on Data Loss Prevention(DLP),they see an average of 1,527 DLP incidents in their IaaS/PaaS storage per month.That means they detected sensitive data that either shouldnt be there,or that requires additional monitoring and security controls.All told,27%of organizations using/PaaS have experienced data theft from their cloud infrastructure.1There are a few more common misconfigurations we see that didnt make the list but have serious implications for data loss and risk to our IaaS/PaaS environments.First,looking at our view of the AWS universe,we can see that 5.5%of all S3 storage buckets have“world read”permissions,meaning they are open to the public.Despite the news over the past few years with so many public incidents of data exposure in open S3 buckets,this common but serious misconfiguration remains stubbornly unmoving.of S3 storage buckets have“world read”permissions.5.5%78%A