Skip to content

Vulnerability Scanning Cloud Assets 

s4applications core impact

Introduction

Most IT Security teams are used to scanning on-premise assets for vulnerabilities using tools from vendors such as Tenable, Quays, and Rapid7 to name but a few. Tools that they are familiar with, but may lead to varying levels of success when it comes to the cloud. 

From what we have seen, the appetite for organisations to utilise cloud assets continues to grow. That means IT Security teams need to reflect on how to manage the risks when it comes to the cloud for vulnerability management, malware detection, and compliance in cloud environments.  

This blog post is targeted at those organisations focusing now on their cloud security strategy. 

Read more in our blog: Vulnerability scanning vs penetration testing   

So, let’s start with the basics –  

How Cloud Assets are Different 

With a cloud provider, they provide and maintain a complete list of everything that you have. They know how many machines you have, what images they boot from, which machines are internet accessible, what privileged user accounts can do what, etc. 

For on-premise assets, this information is either hard to get or not available. Also, for on-premise assets, you may need separate tooling to gather firewall rules or work out potential attack paths. 

  • Complete asset list available – This is hard for on-premise assets to retrieve, but easy for the cloud. 
  • Ephemeral nature – Cloud assets can appear and disappear quickly (say a vulnerable server starts up, completes a task, then shuts down after 10 minutes). 
  • Additional data sources – Other data that is available but not vulnerability-based, but impacts security, such as network configuration and user configurations. 

Top differences with a cloud native scanner: 

  • The system scans snapshots of machines, so there is never any interaction between the running machine and the scanner (so there can be no issues). 
  • The cloud scanner also looks for malware in the snapshot. 
  • There is no need for agents. 
  • Un-encrypted data files can be scanned for PII and other sensitive data. 
  • Cloud native workloads that are not associated with VM can be scanned. 
  • The scanner has access to network topology, firewall rules, routing tables etc. so can build attack paths and prioritise issues. 
  • Many compliance frameworks can be applied and verified 
  • The scanner can ask the cloud provider for a complete list of assets to ensure that nothing is missed. 

What most companies do to start 

Most of our customers start using the same scanning tools they are familiar with and install agents on the cloud-based assets. There are several reasons for this, the most important being that this is the only way to catch ephemeral assets. 

There are several issues with using agents, specifically: 

  • Nobody likes installing extra software. 

Not looking at the full data set available (i.e. some assets are missed). 

s4applications core impact

How Scanning Cloud Assets is different 

Use of Side Scanning 

When a machine starts, the scanner asks the cloud platform to create a snapshot of the running image. This snapshot is a frozen disk and memory copy of the running machine.  

The machine continues to run as normal, completely unaffected by this process, which leaves the scanner with a full copy of the VM to investigate. 

This means that a scanner can look at the static image and analyse it completely asynchronously from the running machine. 

The scanner then looks within the VM snapshot for issues. 

As the scanner is not running within the VM, you don’t get OS compatibility issues, and there is no impact (or testing needed) on the running applications.  

Scanning Cloud assets for Vulnerabilities 

The scanner can look through the filesystem of the snapshot and check the versions of all the files. It can also see what processes are running and can therefore report the vulnerabilities that were found. 

Malware Scan 

Most sophisticated malware will hide itself on a system by making changes to the Kernel. For example, some malware modifies the Kernel function for “Give me a list of running processes” to exclude itself, making detection difficult for EDR tools. 

Because the snapshot is being examined externally, the “adjusted” Kernel is not being used, allowing a scanner to easily detect the malware. 

For this reason, most good tools also perform a malware scan. 

Read more: What products we recommend for Scanning.

Looking for Secrets 

All the disks on the system are also part of the snapshot, meaning that a scanner can search for sensitive data patterns. These patterns could include: 

  • Credit card numbers 
  • AWS/Azure/GCP secret keys 
  • US Social Security Numbers 
  • Name and address information 

All the data should be encrypted when stored at rest to prevent exfiltration in case of a breach. A good scanner will perform these checks. 

Docker Images 

Just as an operating system can have vulnerabilities, a Docker container can also have security issues. It is possible to have a Docker container running old, vulnerable Linux and application versions. 

While scanning the disks, a scanner should also inspect Docker images for vulnerabilities. 

Network Configuration 

Cloud providers offer information about system access, including private IP, public IP, routing, and firewall configurations. A scanner can use this data to perform compliance tests. 

User Configuration 

Like network configuration, user accounts can be analysed for compliance. A scanner can check for misconfigurations such as privileged accounts without 2FA enabled. 

S4 Applications

Our Recommendation 

There are two main leaders in this space, along with some other close contenders. 

Option 1: Orca 

When performing vulnerability management within cloud environments, most tools take a traditional approach of running code within the environment that they want to scan. Orca Security approaches the problem in a completely different way. 

At Orca Security, the Orca Platform is the first cloud-native application protection platform (CNAPP). Automatically links cloud risk detections in production with the development pipeline.  

Cloud-Native Vulnerability Management such as Orca Security have some features that differentiate it from on-premise tools, for example: 

Agentless Scanning via SideScanning 
Orca scans cloud workloads without agents—no performance impact, no missed assets. 

Real-Time Asset Discovery 
Instant visibility into every workload, VM, container, and storage bucket across your cloud estate. 

Snapshot-Based Threat Detection 
Inspects disk snapshots outside the running system to catch malware, misconfigs, and hidden vulnerabilities. 

Multi-Cloud Coverage, One Platform 
See risks across AWS, Azure, GCP—all in a single, unified dashboard. 

Security Without the Blind Spots 
No need to rely on installed agents that miss ephemeral or shadow assets. 

Option 2: Wiz 

Wiz is a great product and like Orca in many ways, however, it has recently been purchased by Google. While it remains multi-platform, the best features may eventually be optimised for Google Cloud Platform (GCP). Google’s $34 billion purchase suggests that they aim to leverage Wiz to drive additional GCP revenue. 

Next steps 

Take advantage of a free consultation to see if Orca is the right fit for your cloud security needs. 

Request a Free Orca Security Risk Assessment. 

Let us know if you want a demo or a free consultation on Orca security