Maryanne Baines is a renowned expert in cloud technology, with a distinguished career evaluating cloud providers and their infrastructures. Her vast experience gives her unique insights into the complexities of cloud security, making her the ideal person to discuss the recent findings from Tenable’s 2025 Cloud Security Risk Report. This report outlines critical issues in data exposure and misconfigurations that can lead to significant security threats. Let’s dive into the insights Maryanne has to offer on these topics.
What are the main findings of Tenable’s 2025 Cloud Security Risk Report?
The report highlights some alarming trends. It shows that 9% of publicly accessible cloud storage contains sensitive data, which is a significant risk. Of this data, 97% is classified as restricted or confidential. This includes a range of sensitive information like API keys, access keys, encryption keys, tokens, traditional usernames, and passwords. The report paints a picture of widespread vulnerability across cloud platforms, emphasizing misconfigurations and the reliance on outdated security measures as core issues.
How prevalent is the storage of sensitive data in publicly accessible cloud storage, according to the report?
The report indicates that nearly 9% of publicly accessible cloud storage contains sensitive data. This is particularly concerning because such exposure creates a substantial risk for unauthorized access. Organizations may underestimate this prevalence due to misconfigured settings or lack of awareness about their data’s accessibility.
What types of sensitive data are identified as being at risk in these cloud storage environments?
The types of sensitive data at risk are quite varied and include crucial elements like API keys, encryption keys, access keys, and tokens, along with traditional access credentials such as usernames and passwords. These are vital components that, if compromised, can allow malicious entities to gain unauthorized access to critical systems and data.
How do organizations typically store secrets like API keys and encryption keys in AWS services?
The report pointed out that more than half of organizations store at least one secret directly in AWS Elastic Container Service (ECS) task definitions, which is a fairly common practice. Unfortunately, while convenient, this method can be a major vulnerability if not managed properly, as it provides an easy target for attackers. Moreover, about 3.5% of all AWS EC2 instances have secrets in their user data, which highlights a significant cloud security risk.
What percentage of AWS Elastic Compute Cloud (EC2) instances contain secrets in user data?
According to the report, 3.5% of AWS EC2 instances have secrets embedded in their user data. This practice is inherently risky because it can lead to unintended exposure if not carefully controlled and regularly audited.
Can you explain why using Identity Providers (IdPs) alone does not completely eliminate identity-based threats?
Using Identity Providers is an important step in managing cloud identities, but they aren’t a comprehensive solution. The report found that while 83% of AWS organizations use IdPs effectively, identity-based threats persist. This is largely due to factors like overly permissive default settings, excessive entitlements, and permanent permissions that are not regularly reviewed. These gaps can be exploited despite the presence of IdPs.
What were the exposure rates for cloud users on Google Cloud Platform (GCP) Cloud Run and Microsoft Azure Logic Apps, as mentioned in the report?
The exposure rates are quite concerning. The report notes that 52% of users on GCP Cloud Run have some level of exposure, and for Microsoft Azure Logic Apps workflows, it’s 31%. These statistics point to a significant number of organizations potentially at risk due to existing vulnerabilities within these platforms.
What is the ‘toxic cloud trilogy,’ and why is it considered a significant risk?
The ‘toxic cloud trilogy’ is a term used in the report to describe a combination of factors that create severe vulnerabilities in cloud environments: a workload that is publicly exposed, critically vulnerable, and highly privileged. Although the number of organizations in this situation has decreased from 38% to 29% over the past year, it remains a critical risk factor. When these three elements coexist, they form an ideal target for attackers looking to exploit cloud infrastructures.
Based on the report, what factors contribute to the exposure of sensitive data and secrets in the cloud?
Several factors play into this. The report cites misconfigured access settings and overly permissive policies as significant contributors. Additionally, there’s an issue with privilege elevation by developers—actions meant to be temporary but often become permanent. Inadequate monitoring and the overconfidence in obscure storage bucket URLs for security also play a role. These issues highlight the lack of thorough security practices in place to safeguard sensitive information.
How do misconfigured access settings and overly permissive policies lead to security vulnerabilities?
Misconfigurations often arise from a lack of strict policies or improper implementation. Overly permissive settings mean that more people or scripts can access critical data than necessary. This can be a gold mine for attackers who exploit these vulnerabilities to gain access and move laterally across systems, leading to potential data breaches or exploitation.
What are some common mistakes or oversights by developers that contribute to privilege elevation risks?
Developers might sometimes elevate privileges for convenience during debugging or development phases without reverting those changes. These oversights can lead to vulnerabilities as elevated privileges become a standard state rather than a temporary method of addressing issues. This kind of privilege elevation should be closely monitored to ensure it doesn’t lead to long-term risks.
How does inconsistent access policies and overlapping roles play a part in flawed permission structures?
When access policies are inconsistent and roles overlap, it creates confusion about who should access what resources. This lack of clarity can lead to permissions that are either too broad or incorrectly applied, increasing the risk of unauthorized access. Consistent and well-defined permission structures are vital to prevent these vulnerabilities.
What are the limitations of manual monitoring in cloud security?
Manual monitoring can be limiting due to its labor-intensive nature and the potential for human error. As cloud environments grow more complex, relying solely on manual processes can lead to delays in identifying and responding to threats. Automated systems, on the other hand, can provide faster and more accurate detection, essential for effective cloud security management.
Why might organizations mistakenly believe that obscure storage bucket URLs provide sufficient security?
This belief stems from a misconception that obscurity equates to security. Many organizations think that because a URL isn’t easily guessable, it is secure. However, this fails to account for automated scanning tools used by attackers, which can easily discover these URLs, leading to potential data exposure.
According to Ari Eitan, what actions should security teams take to address these security gaps?
Eitan emphasizes the need for security teams to gain full visibility across their cloud environments. They should prioritize and automate remediation efforts to prevent threats from escalating. This proactive approach is crucial for effectively managing risks in dynamic cloud infrastructures.
Why is continuous, proactive risk management important in cloud security rather than relying on reactive measures?
The cloud landscape is in constant flux, with new vulnerabilities emerging regularly. Reactive measures are often too slow to address threats effectively. Continuous, proactive risk management enables organizations to anticipate potential risks and handle them before they escalate into significant problems. This strategy can significantly enhance an organization’s resilience against threats.