Cloud Security (CS)

Asset Exposure Score Computation

The cloud exposure score is based solely on the severity of findings detected on an asset. The severity of findings is dynamically determined in the Tenable Cloud Security product based on the asset, related assets features, and the features of misconfigurations found on an asset.

Severities are determined by several features, including:

  • Ports open to the internet on an asset

  • The severity of vulnerabilities detected

  • The privileges and permissions to other assets

Scored Resource Types

Tenable One assigns Asset Exposure Scores to assets within the following categories:

  • Virtual machines (e.g. EC2 instances, EC2 launch templates)

  • Container repositories and clusters (e.g. ECR repository)

  • Storage buckets (e.g. S3 buckets)

Asset Criticality Rating

ACR is not calculated for cloud assets. When an asset such as an EC2 instance is scanned with other sensors (for example, Nessus), then Tenable One takes the ACR from other exposure classes (mainly VM). ACR does not influence the AES.

Enhancements

Enhancements to Tenable Cloud Security scoring include:

  • Dynamic severities take into account the context of an asset and related assets resulting in a more complete view of the exposure

  • Tenable significantly reduced the number of cloud resource types that receive an Asset Exposure Score, resulting in a less diluted and more actionable Cyber Exposure Score.

Frequently Asked Questions

  • Q: Will the publicly accessible assets have a higher Asset Exposure Score score than assets that are not publicly available, even if they have the same vulnerabilities?

    • A: Yes. The severity of findings on a publicly available asset is higher and the fact that an asset is publicly available is detected as an additional finding, which increases the AES.

  • Q: What impact does Asset Criticality Rating have on exposure scores?

    • A: ACR has no impact on AES. The severity of findings used in the calculations already depend on asset details such as public/internet exposure or high level privileges.

  • Q: How many resource types receive an AES?

    • A: Currently, 15 resource types across three cloud providers (AWS, Azure, GCP) receive Asset Exposure Scores. The resources belong to three categories: virtual machines, docker containers, and storage.