Full Report
Move beyond chasing vulnerabilities to a unified hybrid risk strategy. The Sensor Workload Scanner is now GA and extends our risk prioritization engine to on-premise environments to identify the critical attack paths across your hybrid cloud.
Analysis Summary
# Best Practices: Unified Hybrid Cloud Security
## Overview
These practices address the "visibility gap" between on-premises infrastructure and cloud environments. By moving away from siloed vulnerability management toward a **Unified Risk Strategy**, organizations can identify complex attack paths that bridge local data centers and cloud platforms (e.g., a local secret providing admin access to a cloud tenant).
## Key Recommendations
### Immediate Actions
1. **Deploy Infrastructure Connectors:** Map your on-premises environment (vSphere, Kubernetes) via native APIs to gain an agentless view of your asset inventory and ESXi/cluster configurations.
2. **Identify "Hybrid Bridges":** Scan on-premises workloads for cloud credentials (AWS Access Keys, Azure Service Principals) that could allow lateral movement from local servers to cloud resources.
3. **Audit AI Workload Visibility:** Identify self-hosted AI models or agents running on-premise to ensure they are not exposing sensitive data via suspicious prompt activity.
### Short-term Improvements (1-3 months)
1. **Implement Sensor-based Workload Scanning (WLS):** Transition from legacy periodic scanning to continuous sensor-based scanning to detect vulnerabilities, malware, and misconfigurations in real-time.
2. **Converge Security Siloes:** Integrate on-prem security signals into a single "Security Graph" to correlate host vulnerabilities with network exposure and identity permissions.
3. **Define Crown Jewels:** Map paths from internet-facing on-prem servers to sensitive data stores to prioritize remediation based on reachability rather than just CVSS scores.
### Long-term Strategy (3+ months)
1. **Adopt a Unified Security Operating Model:** Standardize security workflows so that the same prioritization engine and risk context are used for cloud-native, bare metal, and hybrid workloads.
2. **Automated Remediation Guardrails:** Integrate hybrid risk insights into CI/CD pipelines to prevent the deployment of workloads containing secrets or critical vulnerabilities across any environment.
## Implementation Guidance
### For Small Organizations
- Focus on **agentless connectors** first to gain visibility without the overhead of managing sensors.
- Use unified dashboards to allow a small team to manage both cloud and on-prem risks without switching tools.
### For Medium Organizations
- Deploy **Sensor Workload Scanners** on critical on-prem segments (e.g., clusters handling customer data).
- Prioritize fixing "High Reachability" vulnerabilities—those with a clear path to the internet—over high-volume, internal-only patches.
### For Large Enterprises
- Map **complex lateral movement paths** across multiple clouds and geo-distributed data centers.
- Integrate the Unified Risk engine with existing SOC/SIEM workflows to reduce "alert fatigue" by filtering out vulnerabilities that lack exploit context.
## Configuration Examples
* **Infrastructure Connection:** Connect vSphere via API to map VM relationships to the Security Graph.
* **WLS Deployment:** Install the Sensor Workload Scanner on Kubernetes nodes to monitor for:
* Publicly exposed services.
* Hardcoded secrets in configuration files.
* Anomalous AI prompt activity (if running local LLMs).
## Compliance Alignment
- **NIST SP 800-53/207:** Supports Zero Trust architecture by visualizing identity-based lateral movement.
- **CIS Benchmarks:** Aligns with host and hypervisor hardening (ESXi, Kubernetes).
- **ISO/IEC 27001:** Addresses asset management and vulnerability management requirements for hybrid scopes.
## Common Pitfalls to Avoid
- **Chasing "Ghost" Vulnerabilities:** Spending time patching high-severity vulnerabilities that are not actually reachable or exploitable in your specific network context.
- **Ignoring the Hybrid Gap:** Failing to check on-prem workloads for cloud secrets, which is a primary vector for modern lateral movement attacks.
- **Managing Siloed Tools:** Using different security stacks for on-prem and cloud, leading to blind spots where the two environments intersect.
## Resources
- **Wiz Sensor Workload Scanner (GA):** Documentation on unified risk prioritization.
- **Wiz Security Graph:** Framework for correlating cross-environment risks.
- **Hybrid Security Demo:** `h-t-t-p-s[:]//www[.]wiz[.]io/events/wiz-demo-unified-risk-and-threat-coverage-for-hybrid-environments`