Public cloud security gaps expose business critical assets
The public cloud has been widely adopted by organizations of all sizes, but a new report from Orca Security reveals some alarming shortcomings in security.
Among the key findings, 72 percent of organizations have at least one Amazon S3 bucket that allows public read access, and 70 percent have a Kubernetes API server that is publicly accessible.
In addition 36 percent have unencrypted sensitive data, including secrets and PII, on their cloud assets.
Compiled by the Orca Research Pod, the report includes key findings from analyzing cloud workload and configuration data captured from billions of cloud assets on AWS, Azure and Google Cloud scanned by the Orca Cloud Security Platform from January 1st until July 1st, 2022.
Another significant finding is that the average attack path is only three steps away from a valuable asset, which means an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to steal data or hold an organization to ransom.
"The security of the public cloud not only depends on cloud platforms providing a safe cloud infrastructure, but also very much on the state of an organization’s workloads, configurations and identities in the cloud," says Avi Shua, CEO and co-founder, of Orca Security. "Our latest State of the Public Cloud Security report reveals that there is still much work to be done in this area, from unpatched vulnerabilities and overly permissive identities to storage assets being left wide open. It is important to remember, however, that organizations can never fix all risks in their environment. They simply don't have the manpower to do this. Instead, organizations should work strategically and ensure that the risks that endanger the organization's most critical assets are always addressed first."
Many basic security measures such as multi-factor authentication, least-privilege permissions, encryption, strong passwords, and port security are still not being applied consistently. For example, 42 percent of respondents had granted administrative permissions to more than 50 percent of the organization's users, 71 percent use the default service account in Google Cloud, and seven percent have internet-facing neglected assets -- like an unsupported operating system or systems unpatched for 180+ days -- with open ports. Since 78 percent of identified attack paths use known vulnerabilities (CVEs) as an initial access attack vector, the need to prioritize vulnerability patching is vital.
The full 2022 State of the Public Cloud Security Report is available from the Orca site.