A new report has shed light on critical cloud risks, with a focus on the growing threat of cloud tech debt.
Published by Qualys Threat Research Unit (TRU) earlier today, the document draws from anonymized global cloud scans conducted in April 2023.
According to the new data, over 60 million applications reached the end of support and end of life during the research period. Critical categories, such as databases, web servers and security software, now lack security updates, significantly heightening the risk of potential breaches.
Cloud misconfigurations also emerged as a significant concern, amplifying data breaches and unauthorized access. Over half of Center for Internet Security (CIS) Benchmarks are failing across major cloud providers.
AWS, Microsoft Azure and Google Cloud Platform (GCP) reported failure rates of 34%, 57% and 60%, respectively, with encryption, identity and access management and internet-facing assets being the most critical misconfiguration categories.
“AWS, GCP and Azure continuously upgrade and evolve their security recommendations. However, these components are not always implemented properly or monitored,” commented Zane Bond, head of product at Keeper Security.
“Administrators should always ensure they’re using a secure vault and secrets management solution and performing necessary patches and updates immediately.”
The report also highlights the alarming prevalence of external-facing vulnerabilities, with around 4% of scanned cloud assets publicly exposed to potential attackers.
Weaponized vulnerabilities are another significant focus, with the report citing the major threat posed by Log4Shell. The internet-facing vulnerability allows attackers to execute arbitrary Java code or leak sensitive information, and 68.44% of detected Log4Shell vulnerabilities on internet-facing cloud assets remain unpatched.
Read more on this flaw: Over a Year of Log4j Lingering
Additionally, the study identifies malware and cryptomining as the top two threats to cloud assets, enabling unauthorized access and lateral movement.
“One of the core characteristics of the cloud is self-service. That is the ability to deploy infrastructure and resources rapidly and at scale without the constraints associated with traditional on-premises IT environments,” explained Craig Boyle, MSSP solutions architect at XM Cyber.
“While this is often considered one of the core benefits of cloud computing, it does come with significant associated risk.”
The report also underlines the importance of automation in remediation processes, significantly reducing unresolved vulnerabilities and expediting patching. Automation improved non-Windows patching rates by almost 8% and reduced remittance time by two days.
“Managing security in hybrid and multi-cloud environments requires tools and techniques that work seamlessly across all cloud vendor environments and on-premise deployments,” said Utpal Bhatt, CMO at Tigera.
“Automation is central to cloud security because, in the cloud, computing resources are numerous and in constant flux.”
More information about the report is available in this blog post published by Qualys today.