Qualys Research Finds 57% of Azure and 60% of Google Cloud Deployments Fail CIS Benchmarks

For more than a decade, organizations have been shifting their digital footprint to cloud computing. The ability to rapidly scale solutions in a cost-effective manner allows any organization to enhance their agility, improve application release timelines, and leverage additional computing resources on demand. While this has changed the way organizations manage their IT assets, the need for security remains just as strong.

Qualys is releasing the 2023 Qualys Cloud Security Insights report which describes data-backed insights from the Qualys TruRisk Platform about risks and best practices associated with cloud computing. The insights enable organizations using cloud technologies to better understand these risks and how they can be better prepared to face those challenges in today’s threat landscape. The research data was generated from anonymized global cloud scans during April 2023, primarily for benchmarks that Qualys helped develop for the Center for Internet Security (CIS).

Some of the key findings from the latest Qualys report include: 

• Cloud misconfiguration is the most critical issue for securing cloud environments as it amplifies the risk of data breaches and unauthorized access. On average, 50% of CIS Benchmarks are failing across the major providers. The average fail rate for each provider was 34% for AWS, 57% for Azure, and 60% for Google Cloud Platform (GCP).
• One of the most alarming discoveries within the data was how many cloud assets are externally facing and exposed to the internet. Approximately 4% of cloud assets within the more than 50 million scanned are internet facing, meaning they have public IP addresses and are visible to any attacker.
• During the research period, more than 60 million applications were at end of support and life. Critical categories include database and web servers, and security software, none of which will receive security updates, increasing exposure and risk of a breach.

According to the research, cloud misconfiguration is the most critical issue for securing cloud environments as it amplifies the risk of data breaches and unauthorized access. On average, 50% of CIS Benchmarks are failing across the major providers. The average fail rate for each provider was 34% for AWS, 57% for Azure, and 60% for Google Cloud Platform (GCP). The three most significant categories of misconfigurations were encryption, identity and access management, and internet-facing assets.

Additionally, one of the most alarming discoveries within the data was how many cloud assets are externally facing and exposed to the internet. Approximately 4% of cloud assets within the more than 50 million scanned are internet facing, meaning they have public IP addresses and are visible to any attacker. While 4% does not seem alarming, any number greater than zero should cause concern. 

Here are what a few cybersecurity experts had to say:

Zane Bond, Head of Product at Keeper Security:

Amazon Web Services (AWS), Google Cloud Platform (GCP) and Azure continuously upgrade and evolve their security recommendations. However, these components are not always implemented properly or monitored. Administrators should always ensure they’re using a secure vault and secrets management solution, and performing necessary patches and updates immediately. They should also check their cloud console’s security controls to ensure they’re following the latest recommendations. And as always, don’t make risky clicks with suspicious emails.

Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems:

Cloud security for most organizations is a subset of the scope of their broader cybersecurity, focused purely on their use of cloud services. Of course, some organizations are now entirely cloud native.  The cloud service providers have also ensured that there are clear delineation in responsibility for security of the various services – making it clear that CSP’s are responsible for securing the cloud, while customers are responsible for everything they put in the cloud. While this differs based on type of cloud service, data always remains the responsibility of the organizations using the cloud.

It is important to remember cloud security started off being very focused around configuration settings, as the CSP’s abstracted and simplified requirements into optional configuration settings, cloud security providers have become far better about secure defaults for configuration and Cloud Security Posture Management (CSPM) tools have enabled visibility into cloud infrastructure best practices. These tools have lacked the visibility into what is within the infrastructure, and organizations are now realizing the securing the cloud needs more focus on the resources they put in the cloud like data, and how to protect data through identity first mechanisms and encryption. They are also realizing that robust cloud security requires a focus on resilience and investment in detection and response mechanisms to respond to inevitable threats. This has led to investment in capabilities like Data Security Posture Management (DSPM) and cloud detection and response. 

Utpal Bhatt, CMO at Tigera:

In contrast to general cybersecurity, cloud security is often a collaborative effort between cloud service providers (CSPs) and customers, who could be an individual, a small-to-medium business (SMB), or an enterprise. This collaborative security effort is referred to as the shared responsibility model, which outlines the key security responsibilities of CSPs and those that fall to customers that should ultimately cover every element of an organization’s cloud environment. This includes all the hardware, infrastructure, endpoints, data, configurations, settings, operating system, network controls, and access rights. 

Threat actors are constantly looking for and finding cloud vulnerabilities to exploit. In response, it’s important that organizations are constantly looking for and mitigating risks in their own systems. There are different tools organizations can use for risk assessment and management as well as published frameworks, such as the Cloud Security Alliance’s Cloud Control Matrix that can assist in codifying internal processes for risk assessment and management.  

Actively monitoring a cloud system enables users to review, monitor, and manage risks more effectively. Automated monitoring can help save time and ensure continuous visibility. Once an event occurs or a risk identified, administrators are notified and can apply mitigation measures. This can help ensure your cloud environment remains healthy and secure. 

Craig Boyle, MSSP Solutions Architect at XM Cyber:

Typically, deployment of infrastructure and resources required a procurement and approval process that included many steps before physical infrastructure or resources could be provisioned. In today’s modern and agile environments, this is seen as a hindrance to innovation and business development, however, it did permit security teams the time to consider the security implications of each new deployment.

One of the core characteristics of cloud is self-service. That is the ability to deploy infrastructure and resources rapidly and at scale without the constraints associated with traditional on-premises IT environments. While this is often considered one of the core benefits of cloud computing, it does come with significant associated risk. Appropriate processes supported by robust technical controls are imperative to ensuring that businesses strike the right balance between velocity and security. DevSecOps can ensure that velocity and security are inherent to a business’s cloud operations so that all the benefits of cloud computing are realized while also minimizing the associated risks.