Human error tops cloud security threats in Qualys report

Research commissioned by Qualys, as contained in the newly released "The State of Cloud & SaaS Security Report," highlights significant security threats in cloud and software as a service (SaaS) sectors, with human error identified as the primary risk.

Based on a survey conducted by Dark Reading, which included insights from over 100 security and IT practitioners, the study indicates that 28% of organisations have experienced cloud or SaaS-related data breaches within the last year. Among those affected, 36% have encountered multiple breaches within the same period.

Shilpa Gite, Senior Manager, Cloud Security Compliance at Qualys, commented on the findings: "The picture that emerged from the report is clear: the rapid pace of cloud-native adoption — from AI services to containerised apps — is outstripping many organisations' ability to manage security risk. Our findings reveal a pattern of recurring challenges - from misconfigurations leading to exfiltration risk, vulnerable assets exposed to the public internet, persistent ransomware threats, and compliance drift. As cloud environments become more dynamic and distributed, securing them requires more than traditional controls. The opportunity lies in embracing automation, policy-based enforcement, and attacker-like thinking — before risks turn into breaches."

The report underscores several key insights, starting with the ongoing prevalence of "self-inflicted cloud wounds" as the number one security risk. Misconfigured cloud services are noted to heavily contribute to data breaches, with expansion in infrastructure as code (IaC) and AI-generated configurations enhancing this threat. Notably, a striking 99% of Virtual Machines are flagged as non-compliant for multi-factor authentication (MFA) deletion on critical Amazon Web Services (AWS) S3 Buckets, illustrating the prominent gaps that can be exploited through techniques such as phishing and social engineering.

Another significant insight from the research is the detection of skill shortages that impact incident response capabilities. Despite substantial investments in security technologies, many organisations fall short on cloud-focused skills necessary for effective breach detection and response. With attackers automating initial access and cross-system movements via exposed application programming interfaces (APIs) and credentials, security units are prompted to enhance their visibility and automation systems. The report includes concrete examples where deficient API key protections and ineffective response procedures have led to both extortion and data exfiltration incidents.

The research also highlights the growing risk surface due to the shift towards containerised workloads and modern web applications. These technologies bring about intricate, fleeting risks tied to increased inter-process communication, broader network exposure, and swift lifecycle transitions, challenging the efficiency of traditional security controls. In response, the report outlines practical measures for improving container security and enforcing policies effectively before deployment of workloads.