Orca Security Research Finds Public Cloud Environments Rife with Neglected Workloads, Authentication Issues, and Lateral Movement Risk
You’re probably familiar with the shared responsibility model. The basic idea is that public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) keep their platforms secure, but customers are still responsible for securing the workloads, data, and processes they run inside the cloud – just as they do in their on-prem world.
Managing Public Cloud Security Risks is a Shared Responsibility
Responsible for security in the cloud
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Network Traffic Encryption, Server-Side Encryption & Data Integrity
Cloud Platform Provider
Responsible for security of the cloud (Infrastructure)
The fact is, organizations have a hard time keeping up. We live in a world where any person with a corporate credit card can activate sophisticated IaaS assets across AWS, Azure, and GCP. Meanwhile, DevOps teams work at breakneck speeds, scaling utilization up and down frequently—possibly thousands of times per hour—and all within a CI/CD pipeline that builds the infrastructure. Security isn’t always in the loop on cloud deployments and even when it is, visibility is limited.
For most organizations, cloud workload security is dependent upon the installation and maintenance of security agents across all assets. Something that rarely happens, as this report shows.
The Orca Security 2020 State of Public Cloud Security Report found that as organizations rapidly deploy more assets in the public cloud, they’re leaving numerous paths open for exploitation. The data below describes the sequencing of how most breaches happen. Attackers find the vulnerable front-line service － the weak link－ and use it as a foothold from which to move laterally across the organization.
Neglected workloads and authentication issues are the weak links attackers are looking for
of organizations have a front-line
workload with an unpatched or
unsupported operating OS
Authentication issues are commonplace
Weak or Leaked Passwords
of organizations have one or more
workloads accessible via weak
or leaked passwords
No MFA on Super Admin Accounts
of organizations aren’t using MFA
to protect one of their cloud
account’s root, super admin users
of organizations have at least one
internet-facing asset accessible
via non-corporate credentials
Finding the Keys to the Kingdom
of organizations have internet-facing
workloads containing secrets and credentials,
posing a risk of lateral movement
Past the Gates:
Lateral Movement Risk
of organizations having 10% or more of their
internal workloads in a neglected security state －
meaning the OS is unsupported or unpatched
About the Orca Security 2020 State of Public Cloud Security Report
For our inaugural Orca Security 2020 State of Public Cloud Security Report we analyzed data from more than two million scans of 300,000 public cloud assets running on AWS, Azure, and GCP. Scanned accounts represent Orca’s customer base across numerous industries including financial services, professional services, travel, cloud computing, online marketplaces, entertainment, and real estate, with locations in North America, Europe, and Asia-Pacific. The breadth and depth of data in this report are possible because Orca SideScanning™ sees 100% of the workloads inside each customer’s public cloud estate. The cloud scans ran from November 6, 2019, to June 4, 2020.
Download the Infographic
Follow the exploitation path in this infographic to see how most major breaches happen.