The Tenable Cloud Risk Report 2024 says almost four in 10 organizations have a cloud workload that is publicly exposed, critically vulnerable, and highly privileged.
Tenable, the exposure management company, has released the Tenable Cloud Risk Report 2024, highlighting that organizations globally and in the Asia Pacific (APAC) region are unknowingly exposed to the “toxic cloud triad,” a trifecta of cloud security risks that could lead to severe data breaches and financial losses.
The report is based on extensive analysis of billions of cloud assets across data gathered from billions of cloud assets across multiple public cloud environments.
The data collected during the first half of 2024 (January to June) includes a comprehensive set of cloud workload and configuration information from real-world cloud assets in active production.
The Toxic Cloud Triad
With the rapid adoption of cloud technology across industries in APAC, the report underscores the challenges posed by misconfigurations, excessive permissions, and critical vulnerabilities that open doors to threat actors.
The findings reveal that 38% of organizations have at least one publicly exposed, critically vulnerable, and highly privileged cloud workload, forming the toxic cloud triad.
“Any organization that collects, maintains, and processes data regardless of size or industry, is at risk of a breach if data is not secured properly,” said Nigel Ng, Senior Vice President, Tenable APJ. “The toxic cloud triad is the perfect storm for cyber threats. Public exposure opens the door to unauthorized access, while critical vulnerabilities give attackers a way in. Once inside, excessive privileges allow them to escalate their control and potentially take over key systems.”
Additional key findings from Tenable’s Cloud Research team include:
- 84% of organizations have risky access keys to cloud resources: The majority of organizations (84.2%) possess unused or longstanding access keys with critical or high severity excessive permissions, a significant security gap that poses substantial risk.
- 23% of cloud identities have critical or high severity excessive permissions: Analysis of Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure reveals that 23% of cloud identities, both human and non-human, have critical or high severity excessive permissions.
- Critical vulnerabilities persist: Notably, CVE-2024-21626, a severe container escape vulnerability that could lead to the server host compromise, remained unremediated in over 80% of workloads even 40 days after its publishing.
- 74% of organizations have publicly exposed storage: 74% of organizations have publicly exposed storage assets, including those in which sensitive data resides. This exposure, often due to unnecessary or excessive permissions, has been linked to increased ransomware attacks.
- 78% of organizations have publicly accessible Kubernetes API servers: Of these, 41% also allow inbound internet access. Additionally, 58% of organizations have cluster-admin role bindings — which means that certain users have unrestricted control over all the Kubernetes environments.
Mitigating cloud risks
To combat these risks, Tenable suggests several strategies for companies to adopt:
- Enhance cloud visibility: Utilize cloud security platforms that provide unified visibility across all workloads. Identifying and prioritizing toxic combinations of risks such as public exposure combined with critical vulnerabilities and excessive permissions is crucial.
- Implement least privilege access: Regularly audit and limit access to cloud resources based on the principle of least privilege. Rotate access keys frequently and remove those that are no longer in use to reduce the likelihood of credential misuse.
- Patch critical vulnerabilities: Prioritize the remediation of high-risk vulnerabilities, such as CVE-2024-21626, and ensure that critical workloads are regularly updated to minimize exposure.
- Close public exposure gaps: Review and correct misconfigurations that lead to the unintentional exposure of public cloud assets. Ensure that only the essential assets are exposed to external networks.
“The toxic cloud triad is preventable, but firms need to take proactive steps. By improving visibility, limiting privileges, and patching vulnerabilities, businesses in APAC can significantly reduce their cloud security risks. Failing to address these issues has historically resulted in catastrophic breaches, in the past and should not be ignored,” Nigel Ng said.
Methodology
The Tenable Cloud Risk Report 2024 findings are based on a comprehensive analysis of data gathered from billions of cloud assets across multiple public cloud environments, all scanned using the Tenable Cloud Security platform.
The dataset, collected during the first half of 2024, includes cloud workload and configuration information from real-world assets in active production. It covers cloud environments from leading providers, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform (GCP).
The analysis focused on identifying critical security risks, such as public exposure, vulnerabilities, and excessive permissions, to provide actionable insights for organizations looking to strengthen their cloud security posture.
READ MORE INSIGHTS.