Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireCybersecurity News

44% of cloud privileges are misconfigured

cloud-computing-freepik
August 3, 2021

An estimated 44% of cloud user privileges are misconfigured, leaving companies at risk, according to Varonis’s 2021 SaaS Risk Report.

Varonis gathered and analyzed data from over 200,000 cloud identities and hundreds of millions of cloud assets for the report. The report covers key trends, and challenges organizations face when trying to control unsupervised identities and shadow privileges that can put data at risk across a fragmented SaaS & IaaS environment.

Brendan O’Connor, CEO and Co-Founder at AppOmni, says, “The misconfiguration and access problems we see now are not new - we are just now waking up to them. When it comes to SaaS applications, the landscape is far more heterogeneous than the consolidated on-prem technologies organizations may have used in the past. Unlike focusing on just a couple of key technologies, like Windows and Mac, or Android and iPhone, most enterprises use dozens or even hundreds of different SaaS applications. This means that security teams will not be able to specialize in these technologies in the same way.”

Another challenge for security teams is the dynamic nature of cloud and SaaS platforms, says O’Connor. “In addition to standard business updates - like adding or removing users or changing permissions - there are also frequent vendor releases that often include both new functionality and new security settings. The constant change inherent in cloud and SaaS platforms makes them especially vulnerable to configuration drift.”

AppOmni’s research has revealed results similar to Varonis’s data. AppOmni data has shown that more than 95% of businesses have external users that are over-provisioned with access to sensitive data. Additionally, more than 55% of businesses have sensitive data exposed to the anonymous internet. O’Connor adds, “These numbers are unacceptable and should be a red flag to all CISOs and CIOs. As major SaaS platforms like Salesforce, Workday, ServiceNow, and Microsoft 365 evolve and grow in functionality and complexity, businesses should be using automated tools and processes to monitor and manage user permissions and configurations continuously.”

Here are just a few key findings in the Varonis study:

  • Nearly 44% of cloud privileges are misconfigured.
  • 3 out of 4 cloud identities for external contractors remain active after they leave.
  • 3 out of 5 users are shadow admins.
  • 15% of employees transfer business-critical data to their personal cloud accounts.

“This report both underscores the difficulty of managing privilege and identity from a top-down view, built on static perspectives of granted privilege, as well as the challenges faced by IT and Security teams whose mode of operation is an overreliance on preventative hardening in the face of the immense velocity behind cloud adoption,” says Tim Wade, Technical Director, CTO Team at Vectra. “Visibility is the lever that strategic decision-makers need to pull to start reclaiming confidence in the face of risk – not just visibility into how privilege is granted, but the observed privilege of dynamic use, to spot account dormancy, to spot deviations from least privilege, to spot practices that place sensitive data, assets, and services at risk. The takeaway is not that the enterprise needs more centrally managed enforcement; the takeaway is that IT and Security programs need visibility to match the speed and scale at which the business is evolving.

Similarly, Vectra has observed a familiar trend around cloud accounts abusing privilege, Joe Malenfant, Vice President at Vectra, says. “In 2019, 40% of organizations suffered O365 account takeovers, and with the rapid adoption of cloud services during the global pandemic, that number skyrocketed to 71% having seven or more account takeovers in 2020. Based on what we have observed in O365, we have expanded our research to include AWS. Many of the recent ransomware campaigns that have made headlines (and those that have not) are credential-based attacks. That is why it is important to focus on detecting malicious use of legitimate applications and services.”

KEYWORDS: cloud security cyber security data security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • APIs-security-freepik

    Misconfigured APIs make up two-thirds of cloud breaches

    See More
  • cyber 3 responsive default

    44% of Companies Report Risks of Doing Business Are Increasing

    See More
  • surveillance camera in city

    44% of organizations utilize hybrid-cloud for data storage

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing