Provided as a part of the ImmuniWeb Community Edition, the online test rapidly detects unprotected cloud storage in AWS, Azure, GCP and 16 other public cloud service providers.
The ImmuniWeb Community Edition is a set of free online tools to verify application security, privacy and compliance, detect phishing, domain squatting and Dark Web exposure. The new free cloud security test enables cybersecurity and IT professionals to identify their organizations unprotected cloud storage in a simple and swift manner to prevent data leaks and security incidents.
Unprotected cloud storage disaster
Under a narrow set of circumstances, cloud storage, for example, AWS S3 buckets, may require public access to provide external users with public data such as images or videos. In reality, misconfigured and unprotected cloud storage is one of the most widespread causes of disastrous data leaks and breaches in a cloud environment.
The situation is exacerbated by the swift proliferation of small cloud providers that offer their own cloud storage services that have insecure settings by default. Given that countless organizations are migrating into a cloud without investing inadequate security training of their technical teams, they are sitting on a powder keg ready to explode.
Modern cloud storage services share similar weaknesses stemming from incorrect usage of access policies, excessive IAM permissions or even completely missing authorization mechanisms. Shadow cloud accounts or unknown cloud assets make the situation even more complex in a multi-cloud environment. Eventually, petabytes of confidential data are regularly found by security researchers and Black Hats in the wild, keeping CISOs and DPOs awake at night. Unsurprisingly, the IDC cloud security survey of 2021 reveals that 98% of companies experienced a cloud data breach within the past 18 months.
The new online test by ImmuniWeb aims to solve these challenges by providing cybersecurity and DevOps teams with a simple way to detect unprotected cloud storage, detect IAM misconfigurations, discover shadow cloud accounts and prevent cloud-related data leaks and breaches. To launch a test, just enter a URL of the main website of your company.
The free test shows you cloud storage that belongs or is attributable to your company. It also sheds light on other misconfigurations, such as missing SSL/TLS encryption.
The free test detects cloud storage from 19 cloud service providers, including AWS, Azure and GCP. You can see in the results the region or country where cloud data is stored for the purpose of compliance with GDPR or other national privacy laws and regulations.
The technology behind the test leverages OSINT, big data and smart prediction technology based on Machine Learning to discover unprotected cloud buckets belonging to your company. To prevent using its new tool for potentially malicious purposes, free registration and account validation are required to gather the URLs of your exposed cloud buckets. The tool is also equipped with a free API available after registration for DevOps and cybersecurity teams.
With ImmuniWeb’s cloud security test you don’t need to enter your cloud credentials, contrasted to most open-sourced or commercial cloud monitoring tools that require IAM credentials to enumerate your cloud assets and instances. Another feature is coverage of medium-sized cloud service providers, such as Oracle Cloud or IBM Cloud. Moreover, many regional players like SberCloud from Russia or Chinese Alibaba Cloud are also on the radar, helping organizations to detect regional cloud presence or shadow cloud accounts.
Ilia Kolochenko, Chief Architect & CEO at ImmuniWeb said: “Cloud providers, such as AWS, have a full spectrum of powerful tools and services that can instantly detect and automatically remediate misconfigurations in their cloud environments. Unfortunately, many organizations of all sizes struggle to properly implement Cloud Security Posture Management (CSPM) due to complexity or lack of technical skills.
Most of the existing commercial solutions and open-source tools also require a cloud IAM account to enumerate and then assess security of your cloud assets. Our flagship ImmuniWeb Discovery does not require your cloud credentials and leverages our proprietary discovery techniques to enumerate your cloud attack surface.
Today, to provide small businesses, universities and colleges, and municipal governments with a possibility to quickly detect their unprotected cloud storage, we are excited to enhance our free Community Edition with the new cloud security test. We will soon implement such features as free continuous monitoring and API to further simplify its usage and integration into existing CSPM and incident response processes. More exciting announcements are coming soon, please stay tuned.”
In order to get a comprehensive snapshot of your multi-cloud attack surface enhanced with a history of previous security incidents discoverable on the Dark Web, you may try ImmuniWeb Discovery that detects the full spectrum of publicly accessible cloud instances, APIs and services in over 50 public cloud environments.
Cloud security challenges surge in 2021
The Verizon Data Breach Investigations Report (DBIR) 2021 says that the number of cloud security breaches has surpassed the number of data breaches involving on-premise assets for the first time in Internet history.
In the meanwhile, organizations of all sizes rapidly migrate to a cloud environment. Gartner’s most recent cloud forecast says that public cloud services will grow 26.2% in 2021. Gartner also predicts that in 2025, over 99% of cloud breaches will be attributable to preventable misconfigurations or other mistakes made by cloud users, such as excessive permissions, weak API authentication, or publicly exposed cloud instances, storage or other resources with sensitive data.
Forrester likewise predicts growing challenges for compliance in a cloud environment, citing a critical vulnerability in Microsoft Azure’s Cosmos DB disclosed in August 2021 that is, however, not attributable to users’ negligence or misconfiguration.
To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.
Media contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: [email protected]
