Security

Cloud misconfigurations can be caused by too many admins

When it comes to cloud security, enterprise employees can be their own worst enemy, especially when organizations stray too far from least-privilege models of access.

Data exposures have been a constant topic of news recently — often blamed on cloud misconfigurations — and have led to voter records, Verizon customer data and even army secrets being publicly available in cloud storage.

In a Q&A, BetterCloud CEO and founder David Politis discussed why SaaS security has become such big news and how enterprises can take control of these cloud misconfigurations in order to protect data.

Editor’s note: This conversation has been edited for length and clarity.

There have been quite a few stories recently about cloud misconfigurations leading to exposures of data. Do you think this is a new issue or just something that is becoming more visible now?

David Politis: This is an issue that has been around really since people started adopting SaaS applications. But it’s only coming out now because, in a lot of cases, the misconfigurations are not identified until it’s too late. In most cases, business configurations were in place when the stock application was deployed, or they were in place when the setting was changed years ago or six months ago, and it’s not until some high-profile exposure happens that the organization starts paying attention to it.

David Politis, CEO, BetterCloudDavid Politis

We’ve actually seen this recently. We had a couple of customers that we’re talking to for, in one case, three years. And we told them three years ago, ‘You’re going to have issue X, Y and Z down the line, because you have too many administrators and because you have this issue with groups. And for three years, it has been living dormant, essentially. And then, all of a sudden, they had an issue where all their groups got exposed to all the employees in the company. It’s a 10,000-person company, where every single employee in the entire company could read every single email distribution list.

Similarly, another company that we’ve talked to for a year came to us three weeks ago and said, ‘I know you told us when we’re going to have these problems, where we just had one of the super admins that should not have been a super admin incorrectly delete about a third of our company’ — they’re about 3,000-person company — ‘and a third of the company just was left without email, without documents and without calendars and thought they got fired.’

A thousand people, in a matter of minutes, thought they got fired, because they had no access anything. And they had to go and restore that app. Fifteen minutes of downtime for 1,000 people is a lot of confusion.

We’ve seen these types of incidences, and we’re seeing it in these environments. This is why we started the company almost seven years ago now.