Over half of Azure and Google Cloud deployments fail CIS benchmarks
Cloud misconfiguration is a critical issue as it amplifies the risk of data breaches and unauthorized access. But new research from Qualys shows that many cloud deployments on major platforms are failing Center for Internet Security (CIS) benchmarks.
The report finds that on average, 50 percent of CIS Benchmarks are failing across the major providers. The average fail rate for each provider is 34 percent for AWS, 57 percent for Azure, and 60 percent for Google Cloud Platform (GCP).
Other findings include that approximately four percent of cloud assets within the more than 50 million scanned are internet facing, meaning they have public IP addresses and are visible to any attacker.
During the research period, more than 60 million applications were found to be at end of support and life. Critical categories include database and web servers, and security software, none of which will receive security updates, increasing exposure and risk of a breach.
Vulnerabilities that are already known to be weaponized are still a problem too. The Qualys TruRisk Platform has detected approximately a million Log4Shell vulnerabilities, which are still under remediated with 68.44 percent of detections being unpatched on internet-facing cloud assets.
Travis Smith, VP, threat research unit at Qualys writes on the company's blog, "As your organization explores ways to improve the remediation of cloud vulnerabilities with automation, we urge you to consider work by the Center for Internet Security (CIS) and its new process of mapping individual controls across its benchmarks to the MITRE ATT&CK tactics and techniques. Qualys contributed to developing these CIS benchmarks for AWS, Azure, and GCP. The benchmarks will help offer some valuable insight and context for defenders to better prioritize the hundreds of hardening controls available in cloud environments."
You can read more and get the full report on the Qualys blog.