orca.security
Open in
urlscan Pro
192.0.66.102
Public Scan
URL:
https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk-example/
Submission: On January 25 via api from TR — Scanned from DE
Submission: On January 25 via api from TR — Scanned from DE
Form analysis 5 forms found in the DOM
<form class="ais-SearchBox-form" novalidate="">
<input class="ais-SearchBox-input ais-SearchBox-input-v2" autofocus="true" autocomplete="off" autocorrect="off" autocapitalize="off" placeholder="What are you looking for?" spellcheck="false" maxlength="512" type="search" value="">
<button class="ais-SearchBox-submit" type="submit" title="Submit the search query."></button>
<div class="ais-SearchBox-close">
<span class="push-enter-text">Press enter to search</span>
<button class="ais-SearchBox-reset-inner" aria-label="Close Search">
<svg focusable="false" aria-hidden="true" width="14" height="15" viewBox="0 0 14 15" fill="none" xmlns="http://www.w3.org/2000/svg">
<path fill-rule="evenodd" clip-rule="evenodd"
d="M2.28818 1.11612C1.80002 0.627961 1.00857 0.627961 0.520413 1.11612C0.032258 1.60427 0.032258 2.39573 0.520413 2.88388L5.13653 7.5L0.520413 12.1161C0.032258 12.6043 0.032258 13.3957 0.520413 13.8839C1.00857 14.372 1.80002 14.372 2.28818 13.8839L6.9043 9.26777L11.5204 13.8839C12.0086 14.372 12.8 14.372 13.2882 13.8839C13.7763 13.3957 13.7763 12.6043 13.2882 12.1161L8.67206 7.5L13.2882 2.88388C13.7763 2.39573 13.7763 1.60427 13.2882 1.11612C12.8 0.627962 12.0086 0.627962 11.5204 1.11612L6.9043 5.73223L2.28818 1.11612Z"
fill="white"></path>
</svg>
</button>
</div>
</form><form id="mktoForm_1486" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutAbove" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1591.09px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField" data-for-type="email"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;" data-for-type="email">
<div class="mktoAsterix">*</div>Email Address
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Not Provided" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Direct" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Direct" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_term__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<script src="https://www.google.com/recaptcha/api.js?onload=captchaCallback" type="text/javascript" async="async" defer="defer"></script>
<div>
<script type="text/javascript">
var formId = 1486;
var captchaCallback = function(a) {
var b = document.getElementsByClassName("grecaptcha-badge");
if (b.length > 0)
for (var c = 0; c < b.length; c++) b[c].style.visibility = "hidden";
if (a) {
var d = this.MktoForms2.getForm(formId);
d && d.setCaptchaValue(a)
}
};
</script>
</div>
<div id="captcha" class="g-recaptcha" data-callback="captchaCallback" data-expired-callback="captchaExpired" data-sitekey="6LeINjUoAAAAADqSvQdrUey-8BtEh34CPuyHeIXp" data-size="invisible">
<div class="grecaptcha-badge" data-style="bottomright"
style="width: 256px; height: 60px; display: block; transition: right 0.3s ease 0s; position: fixed; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden; visibility: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-wx4873d0ep0a" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LeINjUoAAAAADqSvQdrUey-8BtEh34CPuyHeIXp&co=aHR0cHM6Ly9vcmNhLnNlY3VyaXR5OjQ0Mw..&hl=de&v=QUpyTKFkX5CIV6EF8TFSWEif&size=invisible&cb=m82ru4787dld"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div>
</div>
<div class="mktoCaptchaDisclaimer">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
<a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1486"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="796-PBW-559">
</form><form id="mktoForm_1047" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutAbove" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1591.09px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField" data-for-type="email"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;" data-for-type="email">
<div class="mktoAsterix">*</div>Email Address
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Not Provided" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Direct" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Direct" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_term__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<script src="https://www.google.com/recaptcha/api.js?onload=captchaCallback" type="text/javascript" async="async" defer="defer"></script>
<div>
<script type="text/javascript">
var formId = 1047;
var captchaCallback = function(a) {
var b = document.getElementsByClassName("grecaptcha-badge");
if (b.length > 0)
for (var c = 0; c < b.length; c++) b[c].style.visibility = "hidden";
if (a) {
var d = this.MktoForms2.getForm(formId);
d && d.setCaptchaValue(a)
}
};
</script>
</div>
<div id="captcha" class="g-recaptcha" data-callback="captchaCallback" data-expired-callback="captchaExpired" data-sitekey="6LeINjUoAAAAADqSvQdrUey-8BtEh34CPuyHeIXp" data-size="invisible">
<div class="grecaptcha-badge" data-style="none" style="width: 256px; height: 60px; position: fixed; visibility: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-vw3xjk3izroc" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LeINjUoAAAAADqSvQdrUey-8BtEh34CPuyHeIXp&co=aHR0cHM6Ly9vcmNhLnNlY3VyaXR5OjQ0Mw..&hl=de&v=QUpyTKFkX5CIV6EF8TFSWEif&size=invisible&cb=op1k4yyv19no"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response-1" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<div class="mktoCaptchaDisclaimer">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
<a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1047"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="796-PBW-559">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutAbove" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutAbove" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
___
* Search
* Contact
* Login
* Login
* USA
* Europe
* Australia
* US-Gov
* Platform
Platform
The Orca Platform
Agentless-first, AI-driven Cloud Security Platform that deploys in minutes
and protects every layer of your cloud estate.
* Platform Overview
* AI-Driven
* Cloud Security Posture Management
Identify and remediate misconfigurations across clouds
* Cloud Workload Protection
Protect VMs, containers, and serverless functions
* Container and Kubernetes Security
Scalable security for containers and Kubernetes for every cloud layer
* Cloud Detection & Response
24x7 monitoring and response across the entire cloud attack surface
* Vulnerability Management
Agentless vulnerability management that prioritizes your most critical
risks
* Cloud Infrastructure Entitlement Management
Secure cloud identities and entitlements
* Multi-Cloud Compliance
Achieve regulatory compliance with frameworks, benchmarks, and custom
checks
* Shift Left Security
Secure cloud-native apps across the SDLC
* SideScanning™ Technology
Our innovative approach provides complete cloud coverage
* API Security
Complete API discovery, security posture management, and drift detection
* Data Security and Posture Management
Reduce the risk of data breaches and protect sensitive PII
* Why Orca
Why Orca
Case Studies
Our customers worldwide trust Orca to secure their Cloud.
* View Case Studies
Why Orca
* Why Orca
Learn all about our purpose-built cloud security platform
* Our Company
Learn about our company, culture and team
* Ratings & Reviews
See what our users say about us
* Security Research
The latest discoveries from the Research Pod
Compare Orca
* Prisma Cloud
Many acquisitions and little integration
* Qualys TotalCloud
Not nearly as total as you want
* Lacework
More complexity, less visibility
* Aqua
End up underwater with alert fatigue
* Rapid7
Work a lot harder for less
* Tenable
Fragmented coverage makes this untenable
* Check Point
Doesn’t check all the boxes
Industries
* Financial Services
* Technology
* Government
* Retail
* Healthcare
* Media & Entertainment
* Partners
Partners
Our Partners
Our team is extended and strengthened by our strong partnerships across the
Cloud Security ecosystem.
* Partner Overview
* Amazon Web Services
* Microsoft Azure
* Google Cloud
* Alibaba Cloud
* Oracle Cloud
* Research
Research
Orca Research Pod
Our expert security research team discovers and analyzes cloud risks and
vulnerabilities to strengthen the Orca platform.
* See Our Latest Discoveries
Orca Research
How the Sys:All Loophole Allowed Us To Penetrate GKE Clusters in Production
Sys:All: How A Loophole in Google Kubernetes Engine Puts Clusters at Risk
The Biggest Cloud Security Threats to Watch Out for in 2024
* Resources
Resources
Resource Library
Download and view eBooks, whitepapers, videos and more in our packed Resource
Library.
* Browse Resources
Blog
Read Cloud Security thought leadership, how-to's, and insightful posts from
Orca Security experts.
* Browse Blogs
Featured Resources
Orca Events & Webinars
2023 Gartner® Market Guide for Cloud-Native Application Protection Platforms
(CNAPP)
TAG Cyber Report Shows 207% ROI on the Orca Cloud Security Platform
* About
About
Careers
Join the Orca team, and help secure the cloud for the world's most innovative
companies.
* See Open Roles
* Why Orca
* Newsroom
* Media & Press
* About Us
* Ratings & Reviews
* Contact Us
* Search
* Contact
* Login
* Login
* USA
* Europe
* Australia
* US-Gov
* Get Demo
Press enter to search
* Blog
4 Cloud Security Considerations for Financial Services Companies
* Blog
Q2 Update: How the Cloud Risk Encyclopedia Enhances DevOps Production
Checklists
* On-Demand Webinar
The Challenges of Securing & Monitoring Multi-Cloud Applications
* Case Studies
Clearco Enhances Comprehensive Security on Google Cloud Platform with Orca
Security
* Website Result
Super Bowl 2024 Luncheon Giveaway Rules
* Blog
4 Cloud Security Considerations for Financial Services Companies
View more results
* Blog
* Research Pod
Published: Jan 24, 2024
HOW THE SYS:ALL LOOPHOLE ALLOWED US TO PENETRATE GKE CLUSTERS IN PRODUCTION
Ofir Yakobi
Reading time: 8 Minutes
*
*
*
*
Following our discovery of a critical loophole in Google Kubernetes Engine (GKE)
dubbed Sys:All, we decided to conduct research into the real-world impacts of
this issue. Our initial probe already revealed over a thousand vulnerable GKE
clusters due to admins configuring RBAC bindings making the system:authenticated
group overprivileged, which could potentially allow any Google account holder to
access and control these clusters.
GKE, unlike other major Kubernetes services offered by CSPs such as AWS and
Azure, defaults to using standard IAM for cluster authentication and
authorization. This approach enables some access to the Kubernetes API server
using any Google credentials, thereby including all Google users, including
those outside of the organization, in GKE’s system:authenticated group. Since
the scope of this group is easily misunderstood, administrators can unknowingly
assign too many privileges and leave the GKE cluster wide open.
In this article, we delve into how widespread this issue actually is. Through a
series of scans on publicly available GKE clusters, we uncovered a spectrum of
data exposures with real-world consequences for numerous organizations. We will
discuss the nature of these exposures and the range of sensitive information
that could be compromised. Our story will show tangible examples of exploitation
paths, and give practical recommendations for securing GKE clusters against
these threats.
Attend Threat Briefing
EXECUTIVE SUMMARY:
* We discovered numerous organizations with significant misconfigurations of
their system:authenticated groups across various GKE clusters, that make them
vulnerable to the Sys:All loophole discovered by Orca.
* These misconfigurations led to the exposure of various sensitive data types,
including JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, and
private keys.
* A notable example involved a publicly traded company where this
misconfiguration resulted in extensive unauthorized access, potentially
leading to system-wide security breaches.
* This study highlights the critical need for stringent security protocols in
cloud environments to prevent similar occurrences.
* A Threat Briefing detailing how an attacker could abuse this GKE security
loophole, as well as recommendations on how to protect your clusters, will be
held on January 26th at 11 pm Pacific Time.
TECHNICAL EXPLOITATION OVERVIEW
Our research embarked on a journey to assess how many GKE clusters were exposed
to the Sys:All loophole, inspecting clusters from a known CIDR range. We
specifically targeted clusters that had custom roles assigned to the
system:authenticated group. Our scans identified over a thousand clusters with
varying degrees of exposure due to these custom role assignments.
To probe these clusters, we developed a python script that utilized a generic
Google authentication token (obtained through the OAuth 2.0 Playground),
accessible to any Google user. The script was designed to interact with the
Kubernetes API of these clusters, aiming to extract a wealth of potentially
sensitive information. We targeted data points such as configuration maps
(configmaps), Kubernetes secrets, service account details, and other critical
operational data. Furthermore, our approach included attempts to associate these
clusters with their respective organizations, thus uncovering the broader impact
of these misconfigurations and their owners.
We then ran Orca Secret-Detector on the retrieved data to identify and match
known secret patterns and regexes that could allow further lateral movement
within the organization’s environment.
This part was crucial in understanding the real implications of these security
misconfigurations, particularly in the context of potential exploitation by
unauthorized entities. Through this comprehensive technical examination, we
gained deepened insights into the prevalence and severity of security
shortcomings within these GKE clusters.
HOW WE ACCESSED GKE CLUSTERS OF A NASDAQ LISTED COMPANY
Our investigations led us to a stark discovery of a NASDAQ listed company’s
exploitable GKE clusters. A seemingly innocuous misconfiguration in the
system:authenticated group had far-reaching implications, such as allowing list
and pull images from the company’s container registries and providing open
access to AWS credentials stored within a cluster’s configmap (alongside other
sensitive data found). With these credentials, we gained access to S3 buckets
containing multiple sensitive information and logs that, upon further analysis,
revealed system admin credentials and multiple valuable endpoints including
RabbitMQ, Elastic, authentication server and internal system – all with
administrator access.
Here’s a step-by-step account of how this misconfiguration enabled us to move
laterally within the company’s digital infrastructure:
1. Initial Access: The misconfigured GKE clusters allowed cluster admin
permissions to the system:authenticated group, allowing us (with any Google
user account) to query multiple valuable resources using the Kubernetes API,
including the ConfigMap resources and investigate it.
It is important to note that Google blocks the binding of the
system:authenticated group to the cluster-admin role in newer GKE versions
(1.28 and up). We would like to emphasize that even though this is an
improvement, it still leaves many other roles and permissions (other than
cluster-admin) that can be assigned to the system:authenticated group.
2. AWS Credential Exposure: Embedded within a bash script we found an AWS
access key and secret with broad S3 permissions. This highlighted a serious
breach in security practices, leading to the exposure of multiple
credentials and sensitive data.
3. Bucket Content Examination: Using the exposed AWS credentials, we could list
and download the contents of several S3 buckets. Among these were log files
with detailed operational data.
4. Sensitive Information Discovery: The logs contained administrator
credentials for various systems, including an internal platform used by
their customers. Critically, URLs to important internal services such as
ElasticSearch and RabbitMQ were also found, accompanied by superuser
privileges.
5. Potential for Further Lateral Movement: With admin credentials and service
URLs in hand, a malicious actor could potentially access these systems,
extract or manipulate sensitive data, disrupt services, or even move further
into the network.
After responsibly disclosing these findings to the affected company, we
collaborated with them to address the vulnerabilities. This involved tightening
IAM roles and permissions, securing S3 buckets, and implementing better
practices around ConfigMaps. As the secrets were embedded within bash scripts as
part of the Kubernetes configmaps, we advised and assisted in establishing
better practices. This involved removing sensitive data from scripts, using more
secure methods for managing secrets, and ensuring that configmaps were not
accessible to unauthorized users.
By addressing these areas, the company was able to significantly reduce the risk
of similar vulnerabilities in the future, enhancing the overall security of
their cloud infrastructure.
FINDINGS FROM OTHER EXPOSED GKE CLUSTERS
In our broader more general examination of GKE clusters, we uncovered a variety
of sensitive data exposure across multiple organizations, highlighting the
extensive nature of these issues:
* Exposure of GCP API Keys and Service Account JSONs: We frequently came across
GCP API keys and service account authentication JSON files left exposed.
These elements are crucial for accessing GCP resources, and their exposure
represents a significant security threat.
* Discovery of Private Keys: Our scans also revealed private keys within these
clusters. Such keys are essential for securing communications and data
access, making their exposure a major security risk.
* Access to Container Registries: We found numerous instances where credentials
for various container registries were accessible. This allowed us to pull and
run container images locally, a capability that could be abused to introduce
malicious elements into containerized applications.
* Access to Critical Services: Our findings included unauthorized access to
Grafana dashboards, RabbitMQ message brokers, and ElasticSearch clusters in
different organizations. Each of these services play a critical role in
operational monitoring, messaging, and data management, respectively. Gaining
access to these services could lead to significant data breaches and
operational disruptions.
Where possible, we notified the owners of the vulnerable GKE clusters, but it’s
not always possible to identify who owns the cluster. Therefore we urge
organizations to follow the recommendations presented below.
The cumulative findings from our research painted a concerning picture of the
widespread nature of security lapses in cloud environments. From critical access
keys to operational data and infrastructure oversight, the diversity and depth
of the data exposed underscore the urgent need for robust security measures and
continuous monitoring in cloud environments.
RECOMMENDATIONS
This story is a real-world testament to the importance of rigorous security
configurations. For GKE users, it’s vital to review cluster permissions,
especially default groups such as system:authenticated. Organizations must
ensure that only necessary permissions are granted following the Principle of
Least Privilege (PolP), and that regular audits are conducted to prevent such
oversights.
Google has blocked the binding of the system:authenticated group to the
cluster-admin role in newer GKE versions (version 1.28 and up). However, it’s
important to note that this still leaves many other roles and permissions that
can be assigned to the group. This means that in addition to upgrading to GKE
version 1.28 or higher, the main way to block this attack vector is to strictly
follow the principle of least privilege.
More specifically, the Orca Platform now also alerts to overprivileged
System:Authenticated groups, in addition to the above mentioned issues we found
in many cloud environments.
The Orca Platform warns when the GKE system:authenticated group allows too much
access
ORCA IS HERE TO HELP
As cloud technologies grow more complex, the potential for misconfigurations
grows. But with diligence and proper security practices, these risks can be
mitigated. The Orca Research Pod will continue to research and share our
findings to contribute to safer cloud ecosystems.
If you are ready to take your cloud security to the next level, schedule a
personal demo with one of our experts to see how we can help strengthen your
cloud environment.
*
*
*
*
RELATED ARTICLES
STAY IN THE LOOP
Keep up to date with everything you need to know about cloud security and our
latest research
*
Email Address
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of
Service apply.
Submit
By submitting my email address I agree to the use of my personal data in
accordance with Orca Security Privacy Policy.
Blog
SYS:ALL: HOW A SIMPLE LOOPHOLE IN GOOGLE KUBERNETES ENGINE PUTS CLUSTERS AT RISK
OF COMPROMISE
Roi Nisimi
Jan 24, 2024
Blog
VULNERABILITY MISMANAGEMENT: WHY PATCH FASTER, FIX FASTER IS A BROKEN MODEL
Neil Carpenter
Jan 18, 2024
Eyebrow option
DEMO THE ORCA PLATFORM
In just 10 minutes, you’ll see how Orca Security can revolutionize your cloud
security strategy. Watch a recorded demo from a cloud security expert now.
Get a Demo
* PLATFORM
* CLOUD SECURITY PLATFORM
* Platform
* SideScanning™ Technology
* Context-Aware Security
* Built-in Compliance
* Automation & Customization
* TECHNOLOGY ECOSYSTEM
* Amazon Web Services
* Microsoft Azure
* Google Cloud Platform
* SOLUTIONS
* BY SOLUTION
* Malware Detection
* Vulnerability Management
* Sensitive Data Detection
* Container and Kubernetes Security
* Multi-Cloud Compliance and Security
* Cloud Security Posture Management (CSPM)
* CIEM
* Cloud Workload Protection Platform (CWPP)
* Cloud Detection and Response (CDR)
* Shift Left Security
* API Security
* Data Security and Posture Management (DSPM)
* BY INDUSTRY
* Financial Services
* Technology Services
* Media & Entertainment
* Healthcare
* Retail
* RESOURCES
* * Library
* Product Info
* Podcast
* Case Studies
* Blog
* Events
* COMPARISONS
* Prisma Cloud Security
* Qualys Cloud Agent
* Twistlock Container Security
* Redlock Palo Alto
* Rapid7 InsightVM
* Check Point CloudGuard Dome9
* COMPANY
* * About
* Partners
* Reviews
* Orca Research Pod
* Careers
* Newsroom
* Media Kit
* Contact
* Support
* Security Portal
* Login
* STAY IN TOUCH
Get cloud security insights
and the latest Orca news
*
Email Address
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms
of Service apply.
Submit
AWARDS & CERTIFICATIONS
* AWS Advanced Technology Partner Security Competency
* ISO/EC 27001 Information
* ISO/EC 27017 Information
* ISO/EC 27018 Information
* SOC 2 TYPE II Certified
* 2022 AWS Global Security
Partner of the Year
* Star Level One: Self-Assessment Cloud Security Alliance
* CSA Trusted Cloud Provider
Cloud Security Alliance
--------------------------------------------------------------------------------
©2024 Orca Security. All rights reserved.
* Privacy Policy
* Terms of Use
* Cookies Settings
* Virtual Patent Marking
*
*
*
*
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Cookie Policy
Accept All Cookies Reject All
Cookies Settings
PRIVACY PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* TARGETING COOKIES
* SOCIAL MEDIA COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
SOCIAL MEDIA COOKIES
Social Media Cookies
These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit. If you do not allow these cookies you may not be able
to use or see these sharing tools.
Back Button
COOKIE LIST
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Reject All Allow All