The move to the cloud has changed the way we manage information systems – convenience, flexibility, accessibility from anywhere. But at the same time, many organizations mistakenly think that the vendor is “responsible for security,” and ignore their share of the responsibility. In reality, most cloud leaks stem from misconfigurations – not system breaches..
In this article, we'll review the seven most common mistakes – and show you the simple way to fix them..
Mistake 1: Accounts with unnecessary administrator privileges
Too many accounts with full access leave the door open for an attacker. Even if the intention is good – “to make it convenient” – it is a significant breach..
What to do?Apply the principle of Least Privilege – Only what is needed, only when needed. Perform periodic audits of permissions.
Error 2: MFA partially or not enabled
Without two-step verification (Multi-Factor Authentication), any simple password theft can turn into a full-blown breach.
What to do?Apply MFA to every user, including administrators, services, and third-party apps.
Mistake 3: Cloud backup without encryption or separation
Many backups are stored in the same account and in the same workspace – so a hacker who breaks into the account also accesses the backups..
What to do?Keep an encrypted, separated backup, preferably in another location (off-cloudoroff-region).
Mistake 4: Files are open to anyone
Shared drives (SharePoint, Google Drive, AWS S3) are sometimes set to "public" access by mistake. This means that anyone can view, download, or modify files.
What to do?Automatically scan sharing permissions and revoke unauthenticated access.
Mistake 5: Unencrypted recording of passwords and keys API
Files containing passwords, API keys, or access details – stored in clear text within code, documents, or emails.
What to do?Use a secure Vault, encrypt sensitive information, and avoid transferring access through insecure means.
Mistake 6: Lack of cloud event monitoring and management
Without a system that monitors suspicious logins, changes in permissions, or network traffic – the organization will not detect an attack in real time..
What to do?Integrate SIEM or MDR services, or at the very least – activate the cloud provider's built-in alerts.
Mistake 7: Lack of a cloud data security policy
Without clear procedures – each team works differently, each department acts according to its own understanding, and lack of uniformity leads to loopholes..
What to do?Draft a clear policy for cloud security – including usage, permissions, backups, encryption, and user management.
In conclusion
The cloud is just as secure as an on-premises server – but only if used correctly. One misconfiguration can expose all of your corporate information. The power is in your hands: choose a secure provider, set internal policies, and use the monitoring and security tools the cloud offers..
Cybersecurity and IT – two worlds, one solution.
About the Author
Idan Zabari, a leading strategic consultant in the fields of IT and information security, assists businesses and organizations in information protection, technological innovation, and regulatory compliance.