Orca Security Reports Widespread Cloud Security Issues

An Orca Security analysis of cloud workload and configuration data captured from billions of assets running on Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform in the first half of 2022 found more than three-quarters (78%) of the attack paths identified involved known vulnerabilities.

Overall, the report concluded that, as a result, a cyberattacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization’s data for ransom.

Unpatched vulnerabilities coupled with overly permissive identities and publicly exposed storage assets are all commonplace security issues, according to the report. Well over half of organizations (58%) have serverless functions with unsupported runtimes, while 70% of organizations have a Kubernetes application programming interface (API) server that is publicly accessible, the report also found.

Orca Security CEO Avi Shua said it’s clear basic security practices such as multi-factor authentication (MFA), encryption, strong passwords and port security are not being consistently applied.

In theory, more responsibility for security is shifting left toward application development teams that programmatically provision cloud resources. However, most application developers have limited cybersecurity expertise. Most of them would prefer to focus on writing code instead of learning how to secure the cloud platforms they rely on to deploy applications. Organizations will need to find ways to automatically apply cybersecurity policies to prevent application developers from repeatedly making the same cybersecurity mistakes, noted Shua.

The hope is, of course, that as application development teams embrace DevSecOps best practices that there will be fewer mistakes. However, it may take years for those best practices to be widely adopted. Even then, not every developer is going to have the same level of cybersecurity expertise so the opportunity for errors to be made is likely to persist.

Fortunately, in the wake of a series of high-profile breaches, more cybersecurity reviews of software supply chains are being conducted. The challenge is organizations still want to build and deploy secure applications quickly so the expectation is cybersecurity teams will find a way to apply cybersecurity policies without adversely impacting application development workflows. However, it’s not clear how achievable that is.

Of course, exactly who is responsible for cloud and application security within many organizations is also unclear. Cybersecurity teams often assume that development teams will address security issues as they build and deploy applications. Developers tend to assume that cloud platforms are secure. The issue that arises is that while cloud service providers will secure the infrastructure they provide, the responsibility for configuring cloud infrastructure and securing the applications deployed on it is left to the development team.

It’s unlikely cybersecurity teams will be able to address all the current cloud security issues that exist today, said Shua. Organizations will need to focus their efforts on the most severe vulnerabilities, he noted.

The trouble is that cybercriminals are getting more adept at not only discovering cloud vulnerabilities but also exploiting them for extended periods of time before anyone ever realizes it.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard