2022 State of Public Cloud Security Report Reveals Critical Cloud Security Gaps

Originally published by Orca Security here.

Written by Bar Kaduri and Deborah Galea, Orca Security.

Orca Security has released the 2022 State of the Public Cloud Security report, which provides important insights into the current state of public cloud security and where the most critical security gaps are found. The report further provides recommendations on what actions organizations can take to reduce their attack surface and improve cloud security postures.

Key findings of the report

This year’s study shows that while many organizations list cloud security as one of their top IT priorities, there are still many basic security practices that are not being followed consistently. In the rush to move resources to the cloud, it seems that organizations are struggling to keep up with ever-expanding cloud attack surfaces and increasing multi-cloud complexity.

Download this report now and get the full list of the latest cloud security trends and insights organizations are facing today.

The report finds that:

• Crown jewels are dangerously within reach: The average attack path only needs 3 steps to reach a crown jewel asset, meaning that an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.
• Vulnerabilities are the top initial attack vector: 78% of identified attack paths use known vulnerabilities (CVEs) as an initial access attack vector, highlighting that organizations need to prioritize vulnerability patching even more.
• Storage assets are often left unsecured: Publicly accessible S3 Buckets and Azure blob storage assets are found in the majority of cloud environments, which is a highly exploitable misconfiguration and the cause of many data breaches.
• Basic security practices are not being followed: Many basic security measures such as Multi-Factor Authentication (MFA), encryption, strong passwords, and port security are still not being applied consistently.
• Cloud-native services are being overlooked: Even though cloud-native services are easily spun up, they still require maintenance and proper configuration: 58% of organizations have serverless functions with unsupported runtimes, and 70% of organizations have a Kubernetes API server that is publicly accessible.

Below, we highlight report findings from a cross section of cloud security focus areas. To read about all topics, including neglected assets, Log4Shell, Spring4Shell, remediation times, database and key misconfigurations, lateral movement, cloud storage and database security, download the full report.

Vulnerability management

With the sheer number of vulnerabilities being discovered every day, it is increasingly difficult for organizations to keep up. Many fall behind on patching newly discovered vulnerabilities, but some are also not addressing vulnerabilities that have been around for a long time:

• 10% of organizations have vulnerabilities that were disclosed 10+ years ago.
• On average, organizations have 11% of their assets in a neglected security state, meaning that the asset uses an unsupported operating system (such as CentOS 6, Linux 32-bit, or Windows Server 2012) or has remained unpatched for 180 days or more.
• As many as 7% of organizations have Internet-facing neglected assets with open ports. This is especially dangerous since attackers continually scan for open ports and known vulnerabilities and is basically a disaster waiting to happen.
• A shocking 78% of identified attack paths use known vulnerabilities (CVEs) - including Log4j - as the initial access attack vector.

From these figures, we can conclude that organizations really should be placing more effort into fixing vulnerabilities. However, many lack the staff to patch these vulnerabilities, which in more complex, mission critical systems is often not a simple matter of just running an update. Instead, patching can require rigorous testing to make sure that an update doesn’t cause more problems than it solves.

This is why strategic remediation is needed. Instead of trying to fix *all* vulnerabilities, or only those vulnerabilities with the highest CVSS score, it is important that organizations understand which vulnerabilities form a dangerous attack path to the company’s crown jewels. This requires deep and wide insight into cloud workload, configuration and identity risks and how these risks can be combined. In this way, security teams can focus on a much smaller number of vulnerabilities and make sure that those are fixed first.

Identity and Access Management

One of the key elements of Identity and Access Management is adhering to the principle of least privilege (PoLP), which is the practice of limiting a user’s access rights to only that which is strictly required to do their jobs. The report finds that PoLP is still lacking in many cloud environments:

• 44% of environments have at least one privileged identity access management (IAM) role. If an attacker gets hold of privileged IAM credentials, they not only gain access to the system, but can also remain undetected. By activating privileged access only for the duration it is needed, the attack surface can be greatly reduced.
• 71% use the default service account in Google Cloud. This is not recommended because this account gives you Editor permissions by default, not aligning to PoLP.
• In 42% of the scanned cloud estates, administrative permissions were granted to more than 50% of the organization’s users. This indicates that many users are given unrestricted permissions which disregards PoLP best practices.

Cloud misconfigurations

In their 2021 Hype Cycle for Cloud Security, Gartner predicts that through 2025, more than 99% of cloud breaches will originate from preventable misconfigurations or mistakes by end users. They also advise that “CIOs must change their line of questioning from “Is the cloud secure?” to “Am I using the cloud securely?”. From our research, it appears that there is still some work to do:

• 8% have configured a KMS key with public access policy. This is particularly dangerous since it creates an easy attack vector for a malicious party.
• 51% have a Google Storage bucket without uniform bucket-level access. If access levels are not set uniformly, this means that bucket access can be controlled by ACLs as well as IAM. It is best practice to avoid the use of Access Control Lists, since they are harder to monitor and prone to misconfiguration, and if exploited, can allow lateral movement and privilege escalation.
• 77% have at least one RDS database instance using default ports and 42% of these are Internet-facing. It is best practice to change the ports of your RDS databases since if a potential attacker knows which ports you are using, it makes reconnaissance attempts much easier.

Cloud-native Security

Cloud-native services, such as containers, Kubernetes, and serverless are far more lightweight than VMs, use fewer resources and are cheaper to run. For this reason, they are quickly gaining in popularity. However, cloud-native functions still need maintenance to ensure there are no lurking vulnerabilities or misconfigurations that could endanger the cloud environment.

• 62% of containers are being run orchestrated by an outdated version of Kubernetes.
• 69% have at least one serverless function exposing secrets in the environment variable. This means that there are keys, authorization tokens, or passwords that can be exploited by malicious actors.
• 16% of the containers are in a neglected state, which means that they use an unsupported operating system or have remained unpatched for 180 days or more.

Attack paths

An attack path is the route that an attacker takes - or could take - to reach their target, with the goal of data exfiltration, holding the organization to ransom, or selling PII. En route to the company’s crown jewels, attackers take advantage of weaknesses in the environment to gain access to specific assets and move laterally from one to the other.

• The average attack path can reach crown jewels in three steps. This means that an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.
• 78% of attack paths use vulnerabilities as an initial attack vector. 19% use neglected assets - which are assets that use an unsupported operating system or remain unpatched for 180 days or more - as an initial attack vector.
• The top end goal of the vast majority of attack paths is data exposure (84%).

Key recommendations for reducing cloud security risks

The report includes several recommendations for reducing cloud security risks, from maintaining a cloud asset inventory and performing regular audits, to adhering to PoLP and cleaning up unused assets and accounts.

About the 2022 State of Public Cloud Security report

The Orca Research Pod compiled the annual 2022 State of the Public Cloud Security report by analyzing workload, configuration, and identity data captured from billions of cloud assets on AWS, Azure and Google Cloud scanned by the Orca Cloud Security Platform.

The Orca Research Pod is a group of 12 cloud security researchers that discovers and analyzes cloud risks and vulnerabilities to strengthen the Orca platform and promote cloud security best practices. In addition, the Orca research team discovers and helps resolve vulnerabilities in cloud provider platforms so organizations can rely on a safe infrastructure in the cloud.

Download the report.