In what appears to be a self-inflicted wound, Microsoft misconfigured its own Microsoft Azure Blob (cloud) storage buckets, which housed third-party data according to vpnMentor. The company in effect scored an own-goal in favor of those seeking to steal intellectual property.vpnMentor published its timeline and interaction (or lack thereof) with Microsoft as its researchers discovered, then warned, the company of the discovered misconfiguration. A variety of organizations whose information was found within the data bucket were pitching Microsoft Dynamics in hopes of establishing a partnership with Microsoft.The report described how over 100 \u201cpitch decks\u201d and source codes from 10 to 15 companies were exposed. Companies entrusted to Microsoft their ideas and intellectual property as part of their effort to become a part of the Microsoft Dynamics CRM\/ERP ecosystem and unknowingly had their ideas and intellectual property placed at risk by the misconfiguration.The shared responsibility modelAs to who has ownership for such misconfigurations, the vpnMentor research team tells me, \u201cWe can say that the shared responsibility model puts the burden of properly securing data assets in the hands of the user. Various parties in user organizations may have different short-term priorities and different levels of understanding of concepts of security. This can end up leaving sensitive data exposed. Regardless of the underlying cloud stack, this can have dire consequences.\u201dThe concept of \u201cshared responsibility\u201d is one CISOs should pursue: The cloud provider is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. CISOs should drive this idea home to all who may be placing data into an externally controlled cloud storage environment.We see with great regularity how cloud storage owners fail to make their storage buckets private. They often eschew the multiple levels of access and authentication process and procedures cloud providers have in place to be used to protect their data. As more and more of our data takes up residence in the cloud, be it Azure Blob or AWS S3, configuring the environment to restrict access from those without a need to know is basic table stakes.The Microsoft misconfiguration was for 63 gigabytes of data, or 3,800 files, which had been created in 2016. While that may be viewed as inconsequential in 2021, the owner of the information should be the one to determine its current value.Michael Quinn, CEO of ActiveCypher (and a former Microsoft executive), says, \u201cIn this instance, it's hard to track down who actually is to blame. With external consultants, vendors, and expanding workforces having access to vast swaths of key data, companies are facing an uphill battle in their quest to create a secure data supply chain. The current network\/ecosystem have in recent months been exposed as porous and prone to compromise, losing sight of the goal (data protection) and redoubling the effort has only resulted in the same outcomes.\u201d\u00a0 He adds that the \u201ctrue approach\u201d is to provide data protection at the file level regardless of the point of creation or whether it is at rest, in transit, or external. \u201c[This] can negate the usefulness of the data being compromised even if exfiltrated.\u201dThe case for cloud security posture managementThe March 2021 \u201cState of Cloud Security Concerns, Challenges and Incidents\u201d survey report, prepared by AlgoSec in conjunction with the Cloud Security Alliance, noted how cloud storage misconfigurations are not limited to data exposure. The report highlights how 26% of outages were associated with a cloud provider issue, while another 21% were associated with a security misconfiguration.The report also notes that about 50% of information security teams charged with security management were using cloud orchestration and management tools, with about 35% using home-grown scripts, and 29% using manual processes. Therefore, if the expertise does not reside in-house, then third-party providers with the necessary expertise to provide cloud security posture management (CSPM) services should be pursued. These CSPM providers can be expected to continually monitor the cloud instance, identifying and remediating evolving risks.The number and frequency of configuration errors may lead IT executives to believe convenience of access to data is more important than securing the information. They would not be wrong. Security awareness and education initiatives explaining the \u201cwhy\u201d behind securely configuring cloud environments will be time well spent.