The shared responsibility model is broken! In the pre-cloud era, the responsibility for security was fully in the hands of the users. Multiple recent cloud vulnerabilities such as ChaosDB, ExtraReplica revealed that the current cloud model isn’t sufficient.

Companies are unable to keep up with cloud complexity, while vendors & cloud providers do not provide clear identification, tracking or severity for vulnerabilities discovered in their platforms. Moreover, there is an inherent lack of transparency, as cloud providers do not share full details of exposure, impact, mitigations steps of vulnerabilities discovered in their platform.

In the past year we initiated a community effort, that started with characterizing the gaps in the current model and continued in building a new community-based cloud vulnerabilities database. We will share our insights from this process along with the learnings of the Wiz Research team from the disclosure process of multiple unprecedented vulnerabilities in Azure, AWS and GCP.

We will review the weaknesses of the cloud that the new central database unveils, and present novel findings about the security impact that the lack of cloud vulnerabilities model results. We will make the case for extending the current CVE model to be more cloud friendly as the current model is broken and call everyone to join the movement for change.