< Back to Blog
Protecting Yourself From Third-Party Cloud Vulnerabilities
Panorays News

Protecting Yourself From Third-Party Cloud Vulnerabilities

By Giora Omer Mar 10, 20213 min read

In our January 2021 version release, Panorays introduced a new Cloud category to our third-party cyber posture assessments. The Cloud category, as all of our previous categories, is based on non-intrusive probing (e.g. DNS mining) and external data feeds — allowing organizations to assess their third parties easily and quickly. 

Here’s some background about the significance of this category.

Why is there a need for this new cyber posture category?

Cloud infrastructure providers such as Amazon AWS, Microsoft Azure and Google GCP have become an integral part of the computing backbone of nearly every organization. Even traditional industries that are hesitant to make the transition rely heavily on cloud providers for various services such as marketing, support and operations.

When assessing the cyber posture of third parties, does cloud infrastructure require special treatment?

Yes.

The NSA classified cloud vulnerabilities into four primary categories:

  1. Misconfiguration
  2. Poor access control
  3. Shared tenancy vulnerabilities
  4. Supply chain vulnerabilities

Due to its inherent characteristics such as public access and shared tenancy, any mistake you make on the cloud is dramatically compounded. Most are familiar with leaked data vulnerabilities from open S3 buckets, and various notable breaches occurred due to cloud misconfigurations, like the Capital One incident.

Don’t standard cyber posture tests also apply to cloud providers as well?

A company with IT resources running on the cloud, completely or partially, can be assessed using the same tests as a company running on-prem. Exposed services, DNS configurations, TLS best practices and technology patching are relevant to cloud infrastructure just as they are to on-prem.

The heightened importance of cloud infrastructure and the unique vulnerabilities it introduces require a dedicated assessment vector to produce accurate findings and a more precise evaluation of the company. Since many of the cloud vulnerabilities originate from misconfigurations, assessing cloud infrastructure requires great expertise from the providers themselves and the services they offer.

How can you assess the security of cloud infrastructure?

Cloud infrastructure is built from resources of different services (e.g. virtual machines, load balancers, etc.) which reside in different regions (US East, Europe) on different providers (AWS, Azure). A single company may use several cloud providers to prevent vendor lock-in.

Each one of these services is a world of its own, with its own configurations and security considerations. AWS for example, provides hundreds of different services.

Example of multi-region cloud architecture in AWS

There are various excellent solutions for assessing your cloud infrastructure, including open-source tools like CloudSploit and Scout Suite. These tools require credentials to connect to the companies’ cloud accounts and retrieve configuration and usage data, which they analyze to produce their assessment results.

However, when assessing the cloud infrastructure of your third parties, you (hopefully) do not have the ability to provide their credentials. Few companies will be willing to share sensitive audit reports of their cloud misconfigurations — and rightfully so.

So how does Panorays assess the cloud infrastructure of third parties?

Panorays’ discovery engine maps out the detected cloud infrastructure of companies and breaks them down into:

  • Cloud providers
  • Regions
  • Services
  • Resources

The detected cloud resources go through a series of unique tests to assess the cyber posture of the companies’ cloud infrastructure (see example below).

The findings are then integrated into the companies’ overall Cyber Posture Ratings.

With the new Cloud category, Panorays evaluators gain:

  1. Automatic detection of their third parties’ external cloud infrastructure
  2. Dedicated tests for assessing their third parties’ cloud infrastructure attack vector
  3. A comparison of third parties based on their cloud rating 
  4. A more accurate overall Cyber Posture Rating

Want to learn more about Panorays’ new cloud category? Schedule a demo today.

humbnail
Giora Omer

Chief Architect and winner of the annual office basketball competition at Panorays. He has over 20 years experience in software, platform and security engineering (with a short hiatus for a degree in film).

You may also like...
Why We Are Proud to Be Recognized in Forrester’s New Wave™
Mar 01, 2021 Why We Are Proud to Be Recognized in Forrester’s New… Yaffa Klugerman
Panorays Recognized as a Strong Performer by Independent Research Firm in Cybersecurity Risk Ratings Platforms Report
Mar 01, 2021 Panorays Recognized as a Strong Performer by Independent Research Firm… Yaffa Klugerman
How Panorays Handled 2020: A Look Back
Jan 04, 2021 How Panorays Handled 2020: A Look Back Iftach Ariav
Get our latest posts straight to your inbox Subscribe

We use cookies to ensure you get the best experience on our website. Visit our Privacy Policy for more information.