In a bid to shed light on the risks and best practices associated with cloud computing, Qualys has unveiled the 2023 Qualys Cloud Security Insights report. This comprehensive report draws data-driven insights from the Qualys TruRisk Platform, offering organizations valuable information to tackle the challenges in today's ever-evolving threat landscape. The research data, collected from anonymized global cloud scans during April 2023, was primarily generated to develop benchmarks for the Center for Internet Security (CIS).
Key highlights from the report underscore the critical nature of cloud misconfiguration as a major concern for securing cloud environments. This misconfiguration poses a significant risk of data breaches and unauthorized access. Astonishingly, on average, 50% of CIS Benchmarks fail across major cloud service providers. The fail rate for AWS stands at 34%, Azure at 57%, and Google Cloud Platform (GCP) at a concerning 60%.
Among the alarming revelations, the report uncovers the exposure of cloud assets to the internet. A staggering 4% of the over 50 million scanned cloud assets are externally facing, equipped with public IP addresses, and visible to potential attackers. This unnerving figure serves as a wakeup call, emphasizing the importance of addressing even seemingly minor security loopholes.
The research period also revealed another pressing concern – more than 60 million applications were found to be at end-of-support and life. Critical categories, such as database and web servers, as well as security software, no longer receive security updates. This leaves them vulnerable to exploitation and significantly increases the risk of a data breach.
The study further identified the three most significant categories of cloud misconfigurations: encryption, identity and access management, and internet-facing assets. These areas warrant immediate attention from organizations utilizing cloud technologies to bolster their security measures effectively. Craig Boyle, MSSP Solutions Architect at XM Cyber weighed in on the report and cloud security in 2023:
"Typically, deployment of infrastructure and resources required a procurement and approval process that included many steps before physical infrastructure or resources could be provisioned. In today’s modern and agile environments, this is seen as a hindrance to innovation and business development, however, it did permit security teams the time to consider the security implications of each new deployment.
One of the core characteristics of cloud is self-service. That is the ability to deploy infrastructure and resources rapidly and at scale without the constraints associated with traditional on-premises IT environments. While this is often considered one of the core benefits of cloud computing, it does come with significant associated risk. Appropriate processes supported by robust technical controls are imperative to ensuring that businesses strike the right balance between velocity and security. DevSecOps can ensure that velocity and security are inherent to a business's cloud operations so that all the benefits of cloud computing are realized while also minimizing the associated risks." Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems said:
"Cloud security for most organizations is a subset of the scope of their broader cybersecurity, focused on their use of cloud services. Of course, some organizations are now entirely cloud native. The cloud service providers have also ensured that there are clear delineation in responsibility for security of the various services - making it clear that CSP’s are responsible for securing the cloud, while customers are responsible for everything they put in the cloud. While this differs based on type of cloud service, data always remains the responsibility of the organizations using the cloud. It is important to remember cloud security started off being very focused around configuration settings, as the CSP's abstracted and simplified requirements into optional configuration settings, cloud security providers have become far better about secure defaults for configuration and Cloud Security Posture Management (CSPM) tools have enabled visibility into cloud infrastructure best practices. These tools have lacked the visibility into what is within the infrastructure, and organizations are now realizing the securing the cloud needs more focus on the resources they put in the cloud like data, and how to protect data through identity first mechanisms and encryption. They are also realizing that robust cloud security requires a focus on resilience and investment in detection and response mechanisms to respond to inevitable threats. This has led to investment in capabilities like Data Security Posture Management (DSPM) and cloud detection and response."