A recent report by CyCognito has uncovered significant discrepancies in the vulnerability rates among major cloud service providers, highlighting that Google Cloud and smaller providers are notably at higher risk compared to Amazon Web Services (AWS) and Microsoft Azure. This research, which analyzes nearly five million internet-exposed assets, underscores the pressing need for improved security measures across cloud infrastructures amidst rising global concerns over cyber threats.
According to the study, 38% of assets hosted by Google Cloud were found to have at least one security issue, doubling the vulnerability rate of AWS at 15% and reflecting a troubling trend among less well-known cloud providers, including Oracle Cloud, DigitalOcean, and Linode, which also reported a 38% vulnerability rate. Furthermore, major hosting companies like GoDaddy and Hetzner were recorded at 33%, further contributing to a landscape marred by potential security breaches.
In examining critical vulnerabilities, classified as those registering a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher, Azure exhibited the highest instance among leading cloud platforms at 0.07%. In comparison, both AWS and Google Cloud were at 0.04%. While these figures seem minimal, the sheer volume of assets translates to considerable exposure, indicating that even a slight percentage can lead to hundreds of vulnerable points.
CyCognito also assessed the ease of exploitation of these vulnerabilities, revealing a stark reality: over 13% of assets on smaller cloud platforms displayed easily exploitable flaws, while the corresponding figure for major hosting providers was close to 10%. Notably, Google Cloud showcased a higher propensity for exploitation, with 5.35% of its assets deemed easy targets – significantly outpacing AWS and Azure.
Despite the alarming statistics from smaller cloud services, the major providers demonstrated lower overlapping risks, with less than 0.1% of their assets falling into the high-risk category of both critical and easily exploitable vulnerabilities. However, as CyCognito warns, organizations utilizing multiple cloud environments must enhance visibility and ensure that potential weak points do not go unnoticed.
To combat these vulnerabilities, CyCognito recommends employing advanced security measures beyond conventional inventory techniques, advocating for ‘seedless’ discovery methods to better monitor all assets. Additionally, organizations should implement dynamic security testing post-deployment to effectively mitigate risks associated with cloud misconfigurations and forgotten assets.