Mapping the Cloud: A Mixed-Methods Study of Cloud Security and Privacy Configuration Challenges
Sumair Ijaz Hashmi
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Connectivity & Privacy
Cloud misconfigurations have repeatedly been identified as the **leading cause of cloud security breaches**, from exposed **AWS S3 buckets** leaking 70 terabytes of customer data to **AT&T's Snowflake databases** lacking enforced MFA that exposed call and text records of over **100 million customers**. This talk presents a large-scale mixed-methods study of **251,000 Stack Overflow posts** from 2018 to 2024, identifying the security and privacy configuration challenges that cloud operators face across the ecosystem. The analysis uncovers **seven cloud use cases**, **five recurring security and privacy configuration challenges**, and multiple **human-centric challenges** including generic documentation, tooling usability issues, copy-paste coding, and fundamental knowledge gaps. The most pervasive finding: **authentication misconfiguration** is a cross-cutting problem affecting every cloud use case, likely because unlike optional features like logging or encryption, authentication must be configured before anything else works, and even small mistakes break deployments.
AI review
A large-scale study of cloud security misconfiguration challenges based on Stack Overflow posts. Confirms what everyone already knows -- cloud misconfigurations are prevalent and authentication is hard -- but provides no novel technical insights, no exploits, and no actionable offensive tradecraft.