Orca Security released the 2022 State of the Public Cloud Security Report, which provides important insights into the current state of public cloud security and where the most critical security gaps are found.
One of the report’s key findings is that the average attack path is only 3 steps away from a crown jewel asset, meaning that an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.
The report, compiled by the Orca Research Pod, includes key findings from analyzing cloud workload and configuration data captured from billions of cloud assets on AWS, Azure and Google Cloud scanned by the Orca Cloud Security Platform from January 1st until July 1st 2022. The report identifies where critical security gaps are still being found and provides recommendations on what steps organizations can take to reduce their attack surface and improve cloud security postures.
“The security of the public cloud not only depends on cloud platforms providing a safe cloud infrastructure, but also very much on the state of an organization’s workloads, configurations and identities in the cloud,” said Avi Shua, CEO, Orca Security.
”Our latest State of the Public Cloud Security report reveals that there is still much work to be done in this area, from unpatched vulnerabilities and overly permissive identities, to storage assets being left wide open. It is important to remember however, that organizations can never fix all risks in their environment. They simply don’t have the manpower to do this. Instead, organizations should work strategically and ensure that the risks that endanger the organization’s most critical assets are always patched first.”
The state of public cloud security
- Crown jewels are dangerously within reach: The average attack path only needs 3 steps to reach a crown jewel asset, meaning that an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.
- Vulnerabilities are the top initial attack vector: 78% of identified attack paths use known vulnerabilities (CVEs) as an initial access attack vector, highlighting that organizations need to prioritize vulnerability patching even more.
- Storage assets are often left unsecured: Publicly accessible S3 Buckets and Azure blob storage assets are found in the majority of cloud environments, which is a highly exploitable misconfiguration and the cause of many data breaches.
- Basic security practices are not being followed: Many basic security measures such as multi-factor authentication (MFA), encryption, strong passwords, and port security are still not being applied consistently.
- Cloud-native services are being overlooked: Even though cloud-native services are easily spun up, they still require maintenance and proper configuration: 58% of organizations have serverless functions with unsupported runtimes, and 70% of organizations have a Kubernetes API server that is publicly accessible.