For more
than a decade,
organizations have been shifting their digital footprint to cloud computing.
The ability to rapidly scale solutions in a cost-effective manner allows any
organization to enhance their agility, improve application release timelines,
and leverage additional computing resources on demand. While this has changed
the way organizations manage their IT assets, the need for security remains
just as strong.
Today, Qualys is releasing the 2023 Qualys Cloud Security Insights
report which describes
data-backed insights from the Qualys TruRisk Platform about risks and best
practices associated with cloud computing. The insights enable organizations
using cloud technologies to better understand these risks and how they can be
better prepared to face those challenges in today's threat landscape. The research data was generated from anonymized global
cloud scans during April 2023, primarily for benchmarks that Qualys helped
develop for the Center for Internet Security (CIS).
https://www.qualys.com/totalcloud-security-insights-blog-1
Some of the key findings from the latest Qualys report
include:
- Cloud
misconfiguration is the most critical issue for securing cloud
environments as it amplifies the risk of data breaches and unauthorized
access. On average, 50% of CIS Benchmarks are failing across the major
providers. The average fail rate for each provider was 34% for AWS, 57%
for Azure, and 60% for Google Cloud Platform (GCP).
- One of the most alarming
discoveries within the data was how many cloud assets are externally
facing and exposed to the internet. Approximately 4% of cloud assets
within the more than 50 million scanned are internet facing, meaning they
have public IP addresses and are visible to any attacker.
- During the research
period, more than 60 million applications were at end of support and life.
Critical categories include database and web servers, and security
software, none of which will receive security updates, increasing exposure
and risk of a breach.
According to the research,
cloud misconfiguration is the most critical issue for securing cloud
environments as it amplifies the risk of data breaches and unauthorized access.
On average, 50% of CIS Benchmarks are failing across the major providers. The
average fail rate for each provider was 34% for AWS, 57% for Azure, and 60% for
Google Cloud Platform (GCP). The three most significant categories of
misconfigurations were encryption, identity and access management, and
internet-facing assets.
Additionally, one of the most
alarming discoveries within the data was how many cloud assets are externally
facing and exposed to the internet. Approximately 4% of cloud assets within the
more than 50 million scanned are internet facing, meaning they have public IP
addresses and are visible to any attacker. While 4% does not seem alarming, any
number greater than zero should cause concern.
Here are what a few cybersecurity experts had to say:
Zane Bond, Head of Product
at Keeper Security:
Amazon Web Services (AWS), Google Cloud Platform (GCP) and
Azure continuously upgrade and evolve their security recommendations. However,
these components are not always implemented properly or monitored.
Administrators should always ensure they're using a secure vault and secrets
management solution, and performing necessary patches and updates immediately.
They should also check their cloud console's security controls to ensure
they're following the latest recommendations. And as always, don't make risky
clicks with suspicious emails.
Claude Mandy, Chief
Evangelist, Data Security at Symmetry
Systems:
Cloud security for most
organizations is a subset of the scope of their broader cybersecurity, focused
purely on their use of cloud services. Of course, some organizations are now
entirely cloud native. The cloud service providers have also ensured
that there are clear delineation in responsibility for security of the various
services - making it clear that CSP's are responsible for securing the cloud,
while customers are responsible for everything they put in the cloud. While
this differs based on type of cloud service, data always remains the
responsibility of the organizations using the cloud.
It is important to remember cloud security started off being very focused around
configuration settings, as the CSP's abstracted and simplified requirements
into optional configuration settings, cloud security providers have become far
better about secure defaults for configuration and Cloud Security Posture
Management (CSPM) tools have enabled visibility into cloud infrastructure best
practices. These tools have lacked the visibility into what is within the
infrastructure, and organizations are now realizing the securing the cloud
needs more focus on the resources they put in the cloud like data, and how to
protect data through identity first mechanisms and encryption. They are also
realizing that robust cloud security requires a focus on resilience and
investment in detection and response mechanisms to respond to inevitable
threats. This has led to investment in capabilities like Data Security Posture
Management (DSPM) and cloud detection and response.
Utpal Bhatt, CMO at Tigera:
In contrast to general cybersecurity, cloud security is
often a collaborative effort between cloud service providers (CSPs) and
customers, who could be an individual, a small-to-medium business (SMB), or an
enterprise. This collaborative security effort is referred to as the shared
responsibility model, which outlines the key security responsibilities
of CSPs and those that fall to customers that should ultimately
cover every element of an organization's cloud environment. This includes all
the hardware, infrastructure, endpoints, data, configurations, settings,
operating system, network controls, and access rights.
Threat actors are constantly looking for and finding cloud
vulnerabilities to exploit. In response, it's important that organizations are
constantly looking for and mitigating risks in their own systems. There are
different tools organizations can use for risk assessment and management as
well as published frameworks, such as the Cloud Security Alliance's Cloud
Control Matrix that can assist in codifying internal processes for risk
assessment and management.
Actively monitoring a cloud system enables users to review,
monitor, and manage risks more effectively. Automated monitoring can help save
time and ensure continuous visibility. Once an event occurs or a risk
identified, administrators are notified and can apply mitigation measures. This
can help ensure your cloud environment remains healthy and secure.
Craig Boyle, MSSP
Solutions Architect at XM Cyber:
Typically, deployment of infrastructure and resources
required a procurement and approval process that included many steps before
physical infrastructure or resources could be provisioned. In today's modern
and agile environments, this is seen as a hindrance to innovation and business
development, however, it did permit security teams the time to consider the
security implications of each new deployment.
One of the core characteristics of cloud is self-service.
That is the ability to deploy infrastructure and resources rapidly and at scale
without the constraints associated with traditional on-premises IT
environments. While this is often considered one of the core benefits of cloud
computing, it does come with significant associated risk. Appropriate processes
supported by robust technical controls are imperative to ensuring that
businesses strike the right balance between velocity and security. DevSecOps
can ensure that velocity and security are inherent to a business's cloud
operations so that all the benefits of cloud computing are realized while also
minimizing the associated risks.