Orca Security 2020 State of Public Cloud Security Risks Report

3 minutes Reading time

Orca Security Research Finds Public Cloud Environments Rife with Neglected Workloads, Authentication Issues, and Lateral Movement Risk

You’re probably familiar with the shared responsibility model. The basic idea is that public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) keep their platforms secure, but customers are still responsible for securing the workloads, data, and processes they run inside the cloud – just as they do in their on-prem world.

Managing Public Cloud Security Risks is a Shared Responsibility


Group 8 Created with Sketch.

Responsible for security in the cloud

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Network Traffic Encryption, Server-Side Encryption & Data Integrity

Cloud Platform Provider

Group 8 Created with Sketch.

Responsible for security of the cloud (Infrastructure)






Availability Zones

Edge Locations

The fact is, organizations have a hard time keeping up. We live in a world where any person with a corporate credit card can activate sophisticated IaaS assets across AWS, Azure, and GCP. Meanwhile, DevOps teams work at breakneck speeds, scaling utilization up and down frequently—possibly thousands of times per hour—and all within a CI/CD pipeline that builds the infrastructure. Security isn’t always in the loop on cloud deployments and even when it is, visibility is limited.

For most organizations, cloud workload security is dependent upon the installation and maintenance of security agents across all assets. Something that rarely happens, as this report shows.

The Orca Security 2020 State of Public Cloud Security Report found that as organizations rapidly deploy more assets in the public cloud, they’re leaving numerous paths open for exploitation. The data below describes the sequencing of how most breaches happen. Attackers find the vulnerable front-line service - the weak link- and use it as a foothold from which to move laterally across the organization.

Neglected workloads and authentication issues are the weak links attackers are looking for


of organizations have a front-line

workload with an unpatched or

unsupported operating OS

Authentication issues are commonplace

Weak or Leaked Passwords


of organizations have one or more

workloads accessible via weak

or leaked passwords

No MFA on Super Admin Accounts

Group 5 Created with Sketch.


of organizations aren’t using MFA

to protect one of their cloud

account’s root, super admin users

Non-Corporate Credentials


of organizations have at least one

internet-facing asset accessible

via non-corporate credentials

Finding the Keys to the Kingdom


of organizations have internet-facing 

workloads containing secrets and credentials,

posing a risk of lateral movement

castle Created with Sketch.

Past the Gates:
Lateral Movement Risk

All weak links combine to pose serious cloud security and lateral movement attack risk.The security of internal workloads is much worse than front-line workloads, with:
Group 19 Created with Sketch.


of organizations having 10% or more of their 

internal workloads in a neglected security state -

meaning the OS is unsupported or unpatched

Orca Security 2020 State of Public Cloud Security Risks Report

About the Orca Security 2020 State of Public Cloud Security Report

For our inaugural Orca Security 2020 State of Public Cloud Security Report we analyzed data from more than two million scans of 300,000 public cloud assets running on AWS, Azure, and GCP. Scanned accounts represent Orca’s customer base across numerous industries including financial services, professional services, travel, cloud computing, online marketplaces, entertainment, and real estate, with locations in North America, Europe, and Asia-Pacific. The breadth and depth of data in this report are possible because Orca SideScanning™ sees 100% of the workloads inside each customer’s public cloud estate. The cloud scans ran from November 6, 2019, to June 4, 2020.

Download the Infographic

Follow the exploitation path in this infographic to see how most major breaches happen.