What you'll take away
Gartner predicted that through 2025, 99% of cloud security failures would be the customer's fault — not the cloud provider's. That prediction has aged well. The incidents in the headlines are not attacks on cloud infrastructure. They are incidents made possible by cloud infrastructure that was misconfigured from day one and never audited.
The uncomfortable reality is that cloud misconfigurations cause more confirmed data breaches than zero-day exploits. The tooling to find and fix them is mature. The organisational discipline to use it systematically is not. This is the problem that Cloud Security Posture Management (CSPM) exists to solve.
The Numbers That Should Change Behaviour
IBM's Cost of a Data Breach Report 2024 puts the average breach cost at $4.88 million — a record high. For breaches involving cloud misconfigurations specifically, remediation costs are typically higher because the exposure window is longer: misconfigured resources are frequently discovered by external researchers or attackers before internal security teams.
ISC2 research found that 82% of cloud security breaches can be attributed to human error — primarily misconfiguration, excessive permissions, and inadequate access management. None of these require an attacker to find a novel vulnerability. They require an attacker to find an open door that a developer accidentally left unlocked three months ago.
The volume of cloud resources makes manual auditing impossible at scale. A mid-sized enterprise running on AWS or Azure might manage tens of thousands of individual resources — security groups, IAM roles, storage buckets, databases, Lambda functions, container registries — each with independent configuration state. Without automated scanning, you cannot know your security posture. You can only hope it is acceptable.
Why Cloud Misconfigurations Are Different From On-Premise
In an on-premise data centre, a misconfigured server is a local risk. The misconfiguration is a problem, but it is contained within a network perimeter that provides at least one layer of protection.
In the cloud, the same misconfiguration is an internet-exposed risk from the moment it is deployed. A public storage bucket, an RDS instance with a public endpoint and weak credentials, or a security group with unrestricted inbound access is reachable by automated scanners within minutes of creation. Services like Shodan continuously catalogue publicly accessible cloud resources. Attackers use them as search engines for vulnerable targets.
Infrastructure-as-Code amplifies the risk. IaC enables rapid, consistent infrastructure deployment — which means a misconfigured Terraform module can be applied across hundreds of environments simultaneously. One bad commit to a shared IaC module can introduce the same misconfiguration into every environment that uses it, across every cloud region you operate in.
The 5 Most Dangerous Cloud Misconfigurations
1. Publicly Accessible Storage Buckets
S3 buckets, Azure Blob containers, and Google Cloud Storage buckets set to public access remain the single most common source of cloud data exposure. Despite account-level Block Public Access controls becoming available in 2018, public storage buckets continue to appear in breach disclosures year after year.
The risk compounds over time. Sensitive data accumulates in storage buckets — backup exports, database dumps, log archives, compliance reports — and nobody audits whether permissions remain appropriate for current contents. A bucket that starts as a public web asset repository becomes a public compliance data repository after a developer exports a database snapshot to it by mistake.
2. Overly Permissive IAM Roles
IAM roles with wildcard permissions (Action: *, Resource: *) are the cloud equivalent of issuing every employee a master key to every system. They are common partly because they are easier to configure quickly, and partly because least-privilege requires ongoing maintenance as applications evolve — maintenance that rarely gets scheduled.
Wildcard IAM roles define the blast radius of any credential compromise. A Lambda function with unrestricted permissions can exfiltrate data, create new admin users, modify security groups, and disable logging — everything an attacker needs to maintain access and avoid detection.
3. Unrestricted Inbound Security Group Rules
Security groups allowing inbound traffic from the entire internet on management ports — SSH on port 22, RDP on 3389, database ports 3306 and 5432 — are a perennial finding. These rules are typically added as a quick fix during development and never removed when the system reaches production.
Exposed management ports are actively scanned by automated threat actors within hours of appearing on the internet. An RDS instance with a public endpoint and default credentials is frequently compromised before the developer who created it has finished testing the feature they built it for.
4. Unencrypted Data at Rest
RDS instances without encryption at rest, EBS volumes attached to production EC2 instances without encryption, S3 buckets without server-side encryption enabled — all represent compliance failures and data exposure risks if storage is accessed through a misconfiguration or physical security incident.
Is your security posture audit-ready?
48-hour turnaround. No obligation.
Encryption at rest is now the default on most cloud services, but legacy resources created before defaults changed are frequently never retroactively encrypted. CSPM scanning consistently surfaces unencrypted data stores in environments that teams believe are fully compliant.
5. Root and Admin Accounts Without MFA
The AWS root account, Azure global administrator, or GCP Organisation Admin is omnipotent — it can bypass any permission boundary, disable any logging, and modify any configuration. If it is compromised, recovery is extremely difficult. Despite this, root account MFA is absent or incomplete in a significant proportion of enterprise cloud accounts.
Root account access keys should never exist. Root access should be a documented break-glass procedure, not a routine access path. These controls are basic, widely documented, and consistently missing in organisations that have never run a systematic posture assessment.
What CSPM Is — And What It Is Not
Cloud Security Posture Management tools continuously scan cloud configurations against security best practices, compliance frameworks (CIS Benchmarks, SOC 2, PCI-DSS, HIPAA, ISO 27001), and custom security policies. They produce a prioritised findings list with severity ratings, remediation guidance, and often automated fix capabilities.
CSPM is not a vulnerability scanner (it does not scan software for CVEs), not a SIEM (it does not analyse logs or detect real-time threats), and not a WAF (it does not protect running applications). It fills the specific gap of configuration drift detection — finding where infrastructure was deployed or changed into a non-compliant or insecure state.
Leading CSPM tools include Wiz (agentless, multi-cloud, attack path visualisation), Prisma Cloud (comprehensive CNAPP platform), AWS Security Hub (native AWS with GuardDuty and Inspector integration), and Microsoft Defender for Cloud (native Azure with multi-cloud support). The right tool depends on your cloud mix, compliance requirements, and existing security tooling.
Building a CSPM Programme That Reduces Real Risk
Purchasing a CSPM tool and running a scan is not a CSPM programme. The tool output is a findings list — which is worthless without a process to remediate findings and prevent recurrence. A programme has five components:
- 1Continuous scanning with severity prioritisation — Automated scans triggered by every infrastructure change, not just periodic schedules. Critical findings escalated immediately; high findings reviewed weekly; medium findings tracked in the backlog.
- 2Tagging strategy alignment — Every cloud resource tagged by owner, environment, and data classification. Findings can then be routed automatically to the correct team for remediation rather than landing in a central security queue.
- 3IaC policy gates in the pipeline — CSPM policies embedded in CI/CD to block non-compliant infrastructure before it reaches production. Open Policy Agent or Checkov for Terraform provide policy-as-code gates that catch misconfigurations at authoring time.
- 4Auto-remediation for low-complexity findings — Programmatic fixes for straightforward findings (enable S3 versioning, enforce MFA on IAM users, enable CloudTrail) to reduce alert fatigue and free security engineering for complex remediation.
- 5Governance reporting for leadership — Monthly posture reports showing trend in critical finding count, mean time to remediate, and compliance framework adherence percentage — connecting infrastructure security to business risk metrics that boards and auditors understand.
A CSPM tool without a remediation workflow is a very expensive dashboard. The investment only returns value when findings drive actions — not when they fill a report that nobody acts on.
GYSP's Cloud Security Posture Practice
GYSP's Cyber Security team implements CSPM as part of a holistic cloud security programme that integrates posture management with identity security, workload protection, and network segmentation.
We start with a posture baseline assessment — a full scan of your current cloud environment against CIS Benchmarks and your relevant compliance framework. The output is a prioritised findings report, a remediation roadmap sequenced by risk severity, and a recommendation for the CSPM tooling that fits your environment. For clients with existing CSPM tools, we focus on programme maturity: improving remediation velocity, implementing IaC gates, and building governance reporting that connects security posture to business risk.
“Misconfiguration is not a technical failure — it is a process failure. The tools to detect it have existed for years. The gap is always the programme around the tool: who owns the findings, who remediates them, and how fast.”
— Dhaval S, Network & Security Lead — GYSP.tech
