What is the GAO Cloud Security study?
The Office of Management and Budget and several other federal agencies have developed a set of security key practices to help agencies facilitate the adoption and use of cloud services while ensuring the security of their cloud-based systems. Recently, the Government Accountability Office (GAO) evaluated four agencies, the Departments of Agriculture, Homeland Security (DHS), Labor, and Treasury, and reported on the extent to which those agencies have implemented cloud security key practices.
What did GAO find?
The main gap identified by GAO was around continuous monitoring for risk in the cloud. The GAO found that the reviewed agencies only fully performed continuous monitoring for 20% of the systems they reviewed, the rest had only partial coverage. This leaves significant blind spots in their security posture, and drastically increases the potential for missed critical risks. The GAO noted that “until these agencies fully implement the cloud security key practices identified in federal policies and guidance, the confidentiality, integrity, and availability of agency information contained in these cloud systems is at increased risk.”
Pain points reported by reviewed agencies included operational overhead and lack of scalability in handling continuous monitoring manually. Agencies indicated the need for a solution that takes away the burden of manual monitoring and provides them with out-of-the-box continuous risk monitoring.
Continuous risk monitoring with Wiz
Wiz helps agencies continuously monitor for risk in the cloud with its Cloud Native Application Protection Platform (CNAPP), which continuously assesses risks across vulnerabilities, misconfigurations, identities, network, secrets, and malware, and removes the need for manual risk monitoring. Wiz enables agencies to confidently operate in the cloud while gaining complete visibility into risks in their cloud environment on a continuous basis, without any blind spots.
Vulnerabilities
Continuously identify threats in your environment with agentless vulnerability scanning. Wiz pulls in information from public vulnerability catalogs and leverages our Threat Research team to ensure you are protected against the next Log4j-style vulnerability.
Misconfigurations
Find misconfigurations across your cloud and workloads with over 1,400 built-in misconfiguration detection rules. On the cloud layer, identify misconfigurations such as an unencrypted database or a storage bucket with public read access. On the workload layer, assess your hosts against CIS STIG Benchmarks, or leverage our specific application misconfigurations built-in rules.Identity and network exposure
Identify public exposed cloud resources and identities with Wiz’s effective exposure analysis. Wiz uses its cloud-native network analysis engine to identify every object in your cloud environment that is exposed, by analyzing every network rule in network management services such as load balancers, firewalls, gateways, VPCs, subnets, and more in an effective way. Wiz also detects accidental exposure of resources via identity misconfigurations and enables you to quickly act and remediate.
Secrets
Detect exposed secrets in your workloads with agentless secret scanning. Understand how exposed secrets can lead to lateral movement paths in the environment and allow attacker to access your data or take over accounts.
Malware
Identify malicious software (malware) on your workloads using Wiz’s agentless workload scans, and eliminate any potential malware detected.
Remove alert fatigue with risk prioritization
Government agencies that use traditional security tools such as vulnerability scanning tools often face hundreds or thousands of alerts that make it challenging to focus on the most important risks. For example, vulnerability management tools alert on all vulnerabilities identified in the environment but lack the greater context around whether a vulnerability could actually be exploited by an attacker such as if it is publicly exposed. To address this challenge, Wiz empowers agencies to focus on the risks that matter by correlating all risks on the Wiz Security Graph to detect attack paths in an environment. This helps agencies prioritize remediation by first focusing on removing the risks that have the highest impact on the environment, for example resources Wiz verified to be publicly exposed. This prioritization and actionable context on the Wiz Security Graph enables agencies to proactively remove attack paths and ensure resiliency in their cloud environment.
Continuously assess and report on your compliance posture
In addition to continuous risk monitoring, Wiz also does continuous compliance assessment in your environment against industry standards. Assess and report on your host compliance posture against CIS Benchmarks including CIS Linux, Windows, and Red Hat STIG benchmarks. Leverage built-in compliance frameworks including NIST, MITRE, and FedRAMP, generate compliance reports, and investigate vulnerability findings and inventory with the click of a button.
Start now with Wiz’s continuous risk and compliance monitoring and stay confident you are following the recommended security best practices in the cloud. Learn more by visiting the Wiz for Government webpage. If you prefer a live demo, we would love to connect with you.
