Qualys Report: Cloud Misconfiguration Critical Issue in Cloud Security Environments

A new Qualys report shows organizations are largely leaving most security settings as-is in cloud infrastructures. That means roughly half of all security settings are in an state that could provide an opening for threat actors to gain access to critical cloud computing resources.

Qualys’ Travis Smith

That’s according to Travis Smith, vice president of Qualys’ threat research unit. This week, Qualys released its 2023 Cloud Security Insights report. It describes data-backed insights from the Qualys TruRisk Platform about risks and best practices associated with cloud computing.

Some of the key findings from the latest Qualys report include:

Most Surprising Finding in Qualys Report

“The most surprising finding was seeing Log4Shell still largely unpatched in cloud environments,” Smith said. “This vulnerability has had widespread attention in the industry and we are coming up on the two-year anniversary of it’s published date. This critical vulnerability can be easily exploited and should be taken up on priority to remediate if it is found in any production environment.”

The first step for any organization deploying assets of AWS, Azure or GCP is to leverage CIS hardening benchmarks, which represent the “gold standard” for properly securing cloud infrastructure, he said.

“Knowing what security controls are misconfigured is the first step to understanding what the organizational risk is, so it is important to first get a baseline and improve the security architecture from there,” Smith said.

The findings are not all doom and gloom, he said. There are a few encouraging signs that can be seen throughout.

“For example, AWS configuration settings are passing at a much higher rate than Azure or GCP,” Smith said. “With AWS having the highest market share in cloud computing, it is encouraging to see that it is the most secure of the three we analyzed. However, that being said, [public cloud storage containers] are still exposed to the internet at an alarming rate. The encouraging side of that is we can see the equivalent settings in Azure and GCP not being exposed to the internet at such high rates.”

Anecdotally, the highest threat to cloud environments from a malware perspective is cryptomining attacks, he said.

“It is encouraging that more nefarious attacks such as ransomware have not materialized on a large scale,” Smith said. “Yet this should be a warning to organizations that if cryptomining can get in, the threat exists for other more dangerous attacks like ransomware to find their way into cloud environments.”