{"id":1481,"date":"2025-05-20T08:00:00","date_gmt":"2025-05-20T15:00:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=1481"},"modified":"2025-10-03T23:09:51","modified_gmt":"2025-10-04T06:09:51","slug":"and-the-cloud-goes-wild-looking-at-vulnerabilities-in-cloud-assets","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/and-the-cloud-goes-wild-looking-at-vulnerabilities-in-cloud-assets\/","title":{"rendered":"And The Cloud Goes Wild: Looking at Vulnerabilities in Cloud Assets"},"content":{"rendered":"\n

We admit it \u2013 we\u2019ve had our heads in the clouds recently. Since we started working with Wiz<\/a> as one of their integration partners, we\u2019ve been spending even more time thinking about cloud assets. And these assets are everywhere! <\/p>\n\n\n\n

Gartner<\/a> predicts double digit growth across all cloud segments in 2025. More and more organizations are adopting multi-cloud strategies that spread their assets across multiple hosting providers and more and more IT infrastructure spending is shifting from on-premise hosting to cloud. <\/p>\n\n\n\n

While cloud computing has many benefits, we\u2019re also seeing an increasing number of serious security issues directly affecting cloud assets. We\u2019re not the only ones noticing this trend \u2013 researchers with Palo Alto Networks found that by the end of 2024, organizations suffered a 388%<\/a> increase in cloud security alerts compared to 2023. <\/p>\n\n\n\n

Given our new partnership with Wiz<\/a>, we wanted to do a dive into some of the data we have about the cloud assets CyCognito monitors \u2013 where they live, what issues they may be hiding, and what techniques can make them safer.  <\/p>\n\n\n\n

Before we jump in, it\u2019s worth noting that this research is not specific to the cloud platforms themselves, but rather the assets hosted on them. While we aggregated assets by cloud hosting providers, further research is needed to understand why variance existed between different populations of assets.<\/p>\n\n\n\n

What we looked into<\/h2>\n\n\n\n

For this research, we were primarily interested in assets hosted by the three largest cloud service providers \u2013 AWS, Azure, and Google Cloud \u2013 but also looked at aggregated figures for other clouds and hosting providers. <\/p>\n\n\n\n

We also looked at whether the cloud assets we saw were vulnerable to any vulnerabilities or misconfigurations and whether any of those vulnerabilities were of critical severity (defined as a Common Vulnerability Scoring System [CVSS] score of 9 or higher on a scale of 1.0 to 10.0). These vulnerabilities affect the asset, not the hosting providers. <\/p>\n\n\n\n

Looking at anonymized, aggregated data across the nearly five million internet-exposed assets that CyCognito monitors, we\u2019ve found that 1 in 3 easily exploitable vulnerabilities or misconfigurations are found on cloud assets.<\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

<\/p>\n\n\n\n

Our research shows that among the three cloud hosting providers, Google Cloud hosted the highest percentage of assets affected by at least one vulnerability or misconfiguration (38%), over 2.5x more than AWS (15%). Assets hosted by Azure ranked second in total exposure (27%). When we looked at assets hosted by other clouds and hosting providers like GoDaddy, Hetzner, and Digital Ocean aggregated together, 38% of assets found on other clouds were vulnerable to at least one vulnerability or misconfiguration and 32% of assets attributed to hosting providers were vulnerable.<\/p>\n\n\n\n

Critical issues<\/h2>\n\n\n\n

Critical vulnerabilities and misconfigurations (CVSS 9.0 or higher) are uncommon across all environments we looked at. However, small numbers can still have gulfs between them. We found that assets hosted in Azure showed a slightly higher percentage of critical vulnerabilities (less than 0.07%) than both assets hosted in AWS and in Google Cloud (0.04%). Although these numbers are small, across attack surfaces of hundreds of thousands to millions of assets, this could represent hundreds of potential weak points \u2013 and it only takes one to let an attacker in. <\/p>\n\n\n\n

Comparatively, 0.48% of assets attributed to other cloud providers and 0.32% of assets attributed to other hosting providers were affected by critical vulnerabilities. While still less than 1%, the percentage of total affected assets hosted by other cloud providers was approximately 10 times higher than with AWS or Google Cloud.<\/p>\n\n\n\n

Low-hanging fruit<\/h2>\n\n\n\n

While the CVSS is an essential starting point for evaluating the severity of security issues, it is merely a starting point. Our research for the 2024 edition of CyCognito\u2019s State of External Exposure Management report<\/a> found that incorporating additional context about the affected asset and attack surface, like the discoverability or attractiveness of the asset to attackers, identified one in three (32%) security issues as less severe than their CVSS score would indicate. <\/p>\n\n\n\n

Because of this, we also looked specifically for cloud assets with vulnerabilities that were easily exploitable, even if those vulnerabilities weren\u2019t critical. CyCognito uses available threat intelligence on attacker behavior and trends, along with details about vulnerabilities, to measure the difficulty at which a vulnerable asset can be assessed and consequently exploited by a potential attacker, based on the complexity of the required exploitation methods.<\/p>\n\n\n\n

Easily exploitable vulnerabilities were most commonly found on assets hosted by \u201cother clouds\u201d and \u201cother hosting providers\u201d \u2013  over 13% and 10% of assets, respectively. <\/p>\n\n\n\n

Assets hosted by Google Cloud also had approximately double the percentage of easily exploitable vulnerabilities compared to assets hosted by AWS and Azure, with 5% of assets hosted by  Google Cloud having easily exploitable vulnerabilities or misconfigurations compared with 2% of AWS-hosted assets and 2% of assets hosted in Azure.<\/p>\n\n\n\n

Combined risk factors<\/h2>\n\n\n\n

Not all critical issues are easily exploitable and not all easily exploitable issues are critical. But when we look at the assets that are affected by issues that are both critical and easily exploitable, we see that assets residing in AWS are the least affected by these types of issues \u2013 less than a tenth of one percent of assets hosted by AWS have easily exploitable critical issues. The figures for Azure and Google Cloud are similar. <\/p>\n\n\n\n

However, while it\u2019s still true that less than 1% of assets hosted by other clouds or hosting providers are affected by easily exploitable critical issues, these issues can be found at ten times the frequency there than on AWS assets.<\/p>\n\n\n\n\n\n\n<\/col>\n<\/col>\n<\/col>\n<\/col>\n<\/col>\n<\/colgroup>\n\n\n\n\n\n\n\n\n
<\/th>\n% Assets with at least One Issue<\/th>\nAssets with Critical Issues<\/th>\nAssets with Easily Exploitable Issues<\/th>\nAssets with Critical & Easily Exploitable Issues<\/th>\n<\/tr>\n\n
Amazon Web Services (AWS)<\/strong><\/td>\n14.77%<\/td>\n0.04%<\/td>\n1.98%<\/td>\n0.02%<\/td>\n<\/tr>\n\n
Microsoft Azure<\/strong><\/td>\n26.98%<\/td>\n0.07%<\/td>\n2.37%<\/td>\n0.05%<\/td>\n<\/tr>\n\n
Google Cloud Platform (GCP)<\/strong><\/td>\n38.15%<\/td>\n0.04%<\/td>\n5.35%<\/td>\n0.03%<\/td>\n<\/tr>\n\n
Other Clouds<\/strong><\/td>\n38.15%<\/td>\n0.48%<\/td>\n12.72%<\/td>\n0.30%<\/td>\n<\/tr>\n\n
Hosting Providers<\/strong><\/td>\n32.93%<\/td>\n0.32%<\/td>\n9.73%<\/td>\n0.25%<\/td>\n<\/tr>\n\n<\/tbody>\n<\/table>\n\n\n\n

Great data, but now what? <\/h2>\n\n\n\n

Now, we’re not suggesting everyone go back to on-premises \u2013 cloud is here to stay. Instead, security teams should focus on understanding the exposures and risks affecting cloud assets. <\/p>\n\n\n\n

    \n
  1. Complete visibility<\/strong>: Multi-cloud environments can lead to forgotten assets and contribute to Shadow IT. Ensure that your asset inventory is up-to-date by using an asset discovery solution that doesn\u2019t rely on potentially outdated or inaccurate inventory information. Seedless discovery solutions don\u2019t rely on what you know to find what missing or forgotten assets.\u00a0<\/li>\n\n\n\n
  2. Use dedicated cloud security tools: <\/strong>Cloud-Native Application Protection Platforms (CNAPPs), like our friends at Wiz<\/a>, integrate multiple tools that scan code, check open-source libraries, secure cloud workloads, and track cloud configurations.<\/li>\n<\/ol>\n\n\n\n

    But make sure to close security gaps: <\/strong>In addition to testing during development, make sure you\u2019re testing your cloud applications after they\u2019re deployed. Dynamic application security testing (DAST) is crucial for AppSec as it actively tests live applications, uncovering vulnerabilities and misconfigurations that static tools miss.<\/p>\n\n\n\n

    Worried about vulnerabilities affecting your cloud assets? <\/h2>\n\n\n\n

    If you\u2019re already using Wiz, CyCognito\u2019s Wiz integration can enhance your CNAPP coverage<\/a> by: <\/p>\n\n\n\n