Research Eyes Misconfiguration Issues At Google, Amazon and Microsoft Cloud
Research Eyes Misconfiguration Issues At Google, Amazon and Microsoft Cloud
Your email has been sent
Qualys report looks at how misconfiguration issues on cloud service providers help attackers gain access.
Cloud misconfiguration — incorrect control settings applied to both hardware and software elements in the cloud — are threat vectors that amplify the risk of data breaches. A new report from cloud security vendor Qualys, authored by Travis Smith, vice president of the company’s Threat Research Unit lifts the lid on risk factors for three major cloud service providers.
Smith wrote that Qualys researchers, analyzing misconfiguration issues at Amazon Web Services, Microsoft Azure and Google Cloud Platform, found that within Azure, 99% of the disks are either not encrypted or aren’t using customer-managed keys that give users control of encryption keys that protect data in software as a service applications.
The study, which reviewed encryption, identity and access management and failures to monitor external-facing assets examined risks to unauthorized access due to:
Smith wrote that the company’s reachers found that 85% of the keys aren’t rotated, meaning automatic key rotation isn’t enabled. Amazon offers automatic key rotation — generating new cryptographic material — on a 365 day cycle for keys.
Qualys also reported that in GCP environments, 97.5% of virtual machine disks for critical virtual machines lack encryption using customer-supplied encryption keys.
Jump to:
Qualys found poor implementation levels of IAM in all three major providers:
Qualys noted that a common mistake by users across the three platforms is public exposure of data:
SEE: What is cloud security?
Recommendations by the firm included reviewing research by the Center for Internet Security including work Qualys participated in: mapping of individual controls to the MITRE ATT&CK tactics and techniques.
Qualys contributed to developing these CIS benchmarks for AWS, Azure and GCP. The benchmarks will help offer some valuable insight and context for defenders to better prioritize the hundreds of hardening controls available in cloud environments.
Qualys also looked at how firms are deploying controls to harden their cloud postures across the three major platforms, noting that privilege escalation (96.03%), initial access (84.97%) and discovery (84.97%) are passing at the highest rates.
Efforts to control attacks early are helping to ameliorate more harmful consequences further along the the kill chain:
Smith wrote that since crypto mining malware is a threat to cloud environments, organizations should consider mitigating such controls to reduce their organizational risk in the cloud.
“The lesson from these data points is that almost every organization needs to better monitor cloud configurations,” said Smith, adding that scans for CIS controls failed 34% of the time for AWS, 57% for Microsoft Azure and 60% for GCP (Figure A).
Figure A
“Even if you believe your cloud configurations are in order, the data tells us that not regularly confirming status is a risky bet. Scan the configurations often and make sure the settings are correct. It takes just one slip-up to accidentally open your organization’s cloud to attackers,” wrote Smith.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Research Eyes Misconfiguration Issues At Google, Amazon and Microsoft Cloud
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
During Gartner’s Data & Analytics Summit 2023 in Sydney, the important matters of purpose, generative AI and decision intelligence were on the menu. Find out what happened at the event — and the latest industry trends — with this report from TechRepublic Premium. From the download: Data leaders encounter challenges. According to the 2023 Chief …
Encryption is vital for securing data, whether in transit or stored on devices. It can provide peace of mind that communications will not be intercepted and that sensitive information stored on devices can’t be exfiltrated in the event of loss or theft. This policy from TechRepublic Premium provides guidelines for adopting encryption technologies for organizational …
Finding the best data analytics tools for a particular business enterprise requires extended research and the systematic comparison of features. There are dozens upon dozens of potential solutions on the market, so whittling down those vendor choices to a select few will take some effort and more than a little patience. These guidelines (and the …
A solution architect is vital to an enterprise’s overall technical vision when implementing solutions in an era of business digital transformation. This hiring kit from TechRepublic Premium includes a job description, sample interview questions and a want ad to give you a head start on finding the ideal candidate. From the hiring kit: DUTIES AND …
source
