Source: Tenable Blog Author: Shai Morag URL: https://www.tenable.com/blog/whos-afraid-of-a-toxic-cloud-trilogy

ONE SENTENCE SUMMARY:

The Tenable Cloud Risk Report 2024 highlights critical vulnerabilities, excessive permissions, and public exposure in nearly 40% of organizations’ cloud workloads.

MAIN POINTS:

1. 38% of organizations face critical vulnerabilities, excessive permissions, and public exposure in their cloud workloads.
2. “Toxic cloud trilogy” combines critical vulnerabilities, excessive permissions, and public exposure, exacerbating security risks.
3. The study analyzed telemetry from millions of cloud resources across multiple public cloud repositories.
4. Organizational silos and different risk appetites hinder effective vulnerability remediation efforts.
5. Critical vulnerabilities often remain unaddressed even a month after being published as CVEs.
6. Excessive permissions in AWS lead to increased risks in identity-based attacks, especially for human identities.
7. 96% of organizations possess public-facing cloud assets, with 29% having public-facing storage buckets.
8. Comprehensive visibility requires unifying monitoring across multiple cloud environments for effective security posture.
9. Organizations should prioritize rapid remediation of severe vulnerabilities to mitigate potential risks.
10. Monitoring and managing public-facing assets is essential to prevent unnecessary exposure and potential breaches.

TAKEAWAYS:

1. Assess your cloud workloads for the toxic cloud trilogy to enhance security.
2. Promote collaboration between IAM and security teams to address excessive permissions.
3. Ensure prompt remediation of vulnerabilities to minimize exploitation risks.
4. Monitor public-facing assets and understand their configurations to avoid exposures.
5. Implement a unified security approach across multi-cloud environments for better risk management.