Orca Security Research Finds Public Cloud Environments Rife with Neglected Workloads, Authentication Issues, and Lateral Movement Risk


You’re probably familiar with the shared responsibility model. The basic idea is that public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) keep their platforms secure, but customers are still responsible for securing the workloads, data, and processes they run inside the cloud – just as they do in their on-prem world.

Managing Public Cloud Security Risks is a Shared Responsibility

The fact is, organizations have a hard time keeping up. We live in a world where any person with a corporate credit card can activate sophisticated IaaS assets across AWS, Azure, and GCP. Meanwhile, DevOps teams work at breakneck speeds, scaling utilization up and down frequently—possibly thousands of times per hour—and all within a CI/CD pipeline that builds the infrastructure. Security isn’t always in the loop on cloud deployments and even when it is, visibility is limited.

For most organizations, cloud workload security is dependent upon the installation and maintenance of security agents across all assets. Something that rarely happens, as this report shows.

The Orca Security 2020 State of Public Cloud Security Report found that as organizations rapidly deploy more assets in the public cloud, they’re leaving numerous paths open for exploitation. The data below describes the sequencing of how most breaches happen. Attackers find the vulnerable front-line service - the weak link- and use it as a foothold from which to move laterally across the organization.

Neglected workloads and authentication issues are the weak links attackers are looking for

80.7% of organizations have a front-line workload with an unpatched or unsupported operating OS

5.3% of organizations have one or more workloads accessible via weak or leaked passwords

No MFA on Super Admin Accounts

23.5% of organizations aren’t using MFA to protect one of their cloud account’s root, super admin users

Non-Corporate Credentials

19.3% of organizations have at least one internet-facing asset accessible via non-corporate credentials

Finding the Keys to the Kingdom

43.9% of organizations have internet-facing workloads containing secrets and credentials, posing a risk of lateral movement

Past the Gates: Lateral Movement Risk

All weak links combine to pose serious cloud security and lateral movement attack risk.
The security of internal workloads is much worse than front-line workloads, with:

77.2% of organizations having 10% or more of their internal workloads in a neglected security state - meaning the OS is unsupported or unpatched

About the Orca Security 2020 State of Public Cloud Security Report

For our inaugural Orca Security 2020 State of Public Cloud Security Report we analyzed data from more than two million scans of 300,000 public cloud assets running on AWS, Azure, and GCP. Scanned accounts represent Orca’s customer base across numerous industries including financial services, professional services, travel, cloud computing, online marketplaces, entertainment, and real estate, with locations in North America, Europe, and Asia-Pacific. The breadth and depth of data in this report are possible because Orca SideScanning™ sees 100% of the workloads inside each customer’s public cloud estate. The cloud scans ran from November 6, 2019, to June 4, 2020.

Download the Infographic
Follow the exploitation path in this infographic to see how most major breaches happen.