Orca Security Research Finds Public Cloud Environments Rife with Neglected Workloads, Authentication Issues, and Lateral Movement Risk


Unpatched, internet-facing workloads and those with authentication issues hold keys to unlocking internal systems where crown jewel data is stored:

  • More than 80 percent of organizations have at least one neglected, internet-facing workload - meaning it’s running on an unsupported operating system or has remained unpatched for 180 days or more
  • Almost 25 percent of organizations aren’t using multi-factor authentication to protect one of their cloud account’s root, super admin users
  • Almost half of organizations have internet-facing workloads containing secrets and credentials, posing a risk of lateral movement
  • Once past the internet-facing workload and with keys-in-hand, cybercriminals traverse less secure internal machines in search of crown jewel data. 77 percent of organizations have 10 percent or more of their internal workloads either unpatched for 180 days or are no longer supported

LOS ANGELES--(BUSINESS WIRE)--The Orca Security 2020 State of Public Cloud Security Report found that as organizations across industries rapidly deploy more assets in the public cloud with Amazon, Microsoft, and Google, they are leaving numerous paths open for exploitation. Cloud estates are being breached through their weakest links of neglected internet-facing workloads, widespread authentication issues, discoverable secrets and credentials, and misconfigured storage buckets.

While public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) keep their platforms secure, customers are still responsible for securing the workloads, data, and processes they run inside the cloud – just as they do in their on-prem world. Such shared responsibility poses a serious challenge due to the speed and frequency of public cloud deployments.

For most organizations, cloud workload security is dependent upon the installation and maintenance of security agents across all assets. However, IT security teams are not always informed of cloud deployments, so this lack of visibility results in missed vulnerabilities and attack vectors.

While organizations must secure their entire estate, attackers only need to find a single weak link to exploit,” said Avi Shua, Orca Security CEO and co-founder. “It’s imperative for organizations to have 100 percent public cloud visibility and know about all neglected assets, weak passwords, authentication issues, and misconfigurations to prioritize and fix. The Orca Security 2020 State of Public Cloud Security Report shows how just one gap in cloud coverage can lead to devastating data breaches.”

Top report findings include:

Neglected Internet-Facing Workloads

Attackers look for vulnerable frontline workloads to gain entrance to cloud accounts and expand laterally within the environment. While security teams need to secure all public cloud assets, attackers only need to find one weak link.

  • The study found more than 80 percent of organizations have at least one neglected, internet-facing workload – meaning it’s running on an unsupported operating system or has remained unpatched for 180 days or more
  • Meanwhile, 60 percent have at least one neglected internet-facing workload that has reached its end of life and is no longer supported by manufacturer security updates
  • 49 percent of organizations have at least one publicly accessible, unpatched web server despite increased awareness of how that can result in large data breaches (e.g., Equifax in 2017)

Authentication and Credential Issues

Weak security authentication is another way that attackers breach public cloud environments. The Orca Security study found that authentication and password storage issues are commonplace.

  • Almost half the organizations (44 percent) have internet-facing workloads containing secrets and credentials that include clear-text passwords, API keys, and hashed passwords that allow lateral movement across their environment
  • Meanwhile, 24 percent have at least one cloud account that doesn’t use multi-factor authentication for the super admin user; 19 percent have cloud assets accessible via non-corporate credentials
  • Additionally, five percent have cloud workloads that are accessible using either a weak or leaked password

Lateral Movement Risk

All weak links combine to pose serious cloud security and lateral movement attack risk for any organization. Attackers also take advantage of knowing that internal servers are less protected than external internet-facing servers and that they can expand rapidly in search of critical data once inside a cloud estate.

  • The security posture of internal machines is much worse than internet-facing servers, with 77 percent of organizations having at least 10 percent of their internal workloads in a neglected security state
  • Additionally, six percent of internet-facing assets contain SSH keys that could be used to access adjacent systems

Report Resources Now Available:

About the Orca Security 2020 State of Public Cloud Security Report

Orca Security’s 2020 State of Public Cloud Security Report analyzed data from more than two million scans of 300,000 public cloud assets running on AWS, Azure, and GCP. Scanned accounts represented Orca’s customer base across numerous industries including financial services, professional services, travel, cloud computing, online marketplaces, entertainment, real estate, and more. The public cloud scans ran from November 6, 2019, to June 4, 2020.

About Orca Security

Orca Security is the cloud security innovation leader, providing instant-on, workload-level security and visibility into AWS, Azure, and GCP - without the gaps in coverage and operational costs of agents.

Delivered as SaaS, Orca Security’s patent-pending SideScanning™ technology reads your cloud configuration and workloads’ runtime block storage out-of-band, detecting vulnerabilities, malware, misconfigurations, lateral movement risk, weak and leaked passwords, and unsecured PII.

Orca Security deploys in minutes – not months – because no opcode runs within your cloud environment. With Orca, there are no overlooked assets, no DevOps headaches, and no performance hits on live environments.

And unlike legacy tools that operate in silos, Orca treats your cloud as an interconnected web of assets, prioritizing risk based on environmental context. This does away with thousands of meaningless security alerts to provide just the critical few that matter, along with their precise path to remediation.

Connect your first cloud account in minutes and see for yourself. Visit orca.security.


Brendan Hughes
RH Strategic for Orca Security