In our January 2021 version release, Panorays introduced a new Cloud category to our third-party cyber posture assessments. The Cloud category, as all of our previous categories, is based on non-intrusive probing (e.g. DNS mining) and external data feeds — allowing organizations to assess their third parties easily and quickly.
Here’s some background about the significance of this category.
Why is there a need for this new cyber posture category?
Cloud infrastructure providers such as Amazon AWS, Microsoft Azure and Google GCP have become an integral part of the computing backbone of nearly every organization. Even traditional industries that are hesitant to make the transition rely heavily on cloud providers for various services such as marketing, support and operations.
When assessing the cyber posture of third parties, does cloud infrastructure require special treatment?
Yes.
The NSA classified cloud vulnerabilities into four primary categories:
- Misconfiguration
- Poor access control
- Shared tenancy vulnerabilities
- Supply chain vulnerabilities
Due to its inherent characteristics such as public access and shared tenancy, any mistake you make on the cloud is dramatically compounded. Most are familiar with leaked data vulnerabilities from open S3 buckets, and various notable breaches occurred due to cloud misconfigurations, like the Capital One incident.
Don’t standard cyber posture tests also apply to cloud providers as well?
A company with IT resources running on the cloud, completely or partially, can be assessed using the same tests as a company running on-prem. Exposed services, DNS configurations, TLS best practices and technology patching are relevant to cloud infrastructure just as they are to on-prem.
The heightened importance of cloud infrastructure and the unique vulnerabilities it introduces require a dedicated assessment vector to produce accurate findings and a more precise evaluation of the company. Since many of the cloud vulnerabilities originate from misconfigurations, assessing cloud infrastructure requires great expertise from the providers themselves and the services they offer.
How can you assess the security of cloud infrastructure?
Cloud infrastructure is built from resources of different services (e.g. virtual machines, load balancers, etc.) which reside in different regions (US East, Europe) on different providers (AWS, Azure). A single company may use several cloud providers to prevent vendor lock-in.
Each one of these services is a world of its own, with its own configurations and security considerations. AWS for example, provides hundreds of different services.
There are various excellent solutions for assessing your cloud infrastructure, including open-source tools like CloudSploit and Scout Suite. These tools require credentials to connect to the companies’ cloud accounts and retrieve configuration and usage data, which they analyze to produce their assessment results.
However, when assessing the cloud infrastructure of your third parties, you (hopefully) do not have the ability to provide their credentials. Few companies will be willing to share sensitive audit reports of their cloud misconfigurations — and rightfully so.
So how does Panorays assess the cloud infrastructure of third parties?
Panorays’ discovery engine maps out the detected cloud infrastructure of companies and breaks them down into:
- Cloud providers
- Regions
- Services
- Resources
The detected cloud resources go through a series of unique tests to assess the cyber posture of the companies’ cloud infrastructure (see example below).
The findings are then integrated into the companies’ overall Cyber Posture Ratings.
With the new Cloud category, Panorays evaluators gain:
- Automatic detection of their third parties’ external cloud infrastructure
- Dedicated tests for assessing their third parties’ cloud infrastructure attack vector
- A comparison of third parties based on their cloud rating
- A more accurate overall Cyber Posture Rating
Want to learn more about Panorays’ new cloud category? Schedule a demo today.
