19

  Identity and Access Management Qualys found poor implementation levels of IAM in all three major providers: Multifactor authentication: AWS isn’t enabled for 44% of IAM users with console passwords. IAM Access Analyzer isn’t enabled in 96% of the accounts scanned by Qualys. In Azure, scans for enabling authentication and configuring client certificates within Azure App Service fail 97% of the time. Exposure of external-facing assets from leaky S3 buckets Qualys noted that a common mistake by users across the three platforms is public exposure of data: Qualys reported 31% of S3 buckets are publicly accessible. The misconfiguration of leaving public network access enabled was seen in 75% of the Azure databases.

  Research Eyes Misconfiguration Issues At Google, Amazon and Microsoft Cloud Qualys report looks at how misconfiguration issues on cloud service providers help attackers gain access.Cloud misconfiguration — incorrect control settings applied to both hardware and software elements in the cloud — are threat vectors that amplify the risk of data breaches.  A new report from cloud security vendor Qualys, authored by Travis Smith, vice president of the company’s Threat Research Unit lifts the lid on risk factors for three major cloud service providers. Smith wrote that Qualys researchers, analyzing misconfiguration issues at Amazon Web Services, Microsoft Azure and Google Cloud Platform, found that within Azure, 99% of the disks are either not encrypted or aren’t using customer-managed keys that give users control of encryption keys that protect data in software as a service applications.