New Report Details a Rising Toxic Cloud Trilogy of Vulnerabilities

4 weeks ago 12
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Originally published by Tenable.

Written by Shai Morag.

Cloud computing has revolutionized the way businesses and individuals manage data, offering unparalleled scalability, flexibility and convenience.

But alongside the rise of the cloud, the cybersecurity community has been confronted with a new set of challenges, particularly those stemming from vulnerabilities in cloud services. The new Tenable Cloud Risk Report 2024 confirms these challenges and provides a detailed examination of vulnerabilities we call the “toxic cloud trilogy.”

This report is an urgent wake-up call for organizations worldwide to prioritize cloud security. In this post, we summarize the main points and offer some advice on how to utilize the data to build an effective cybersecurity program.

Why Tenable conducted this research

The Tenable Cloud Risk Report 2024 rose up from a comprehensive study we created to understand the evolving cloud threat landscape. As organizations have migrated to cloud environments, securing those platforms has become more complex. Recognizing this, we had a few goals with the report:

  • Provide actionable insights for businesses leveraging cloud technologies.
  • Highlight emerging vulnerabilities and their potential impact on critical infrastructure.
  • Promote a deeper understanding of shared responsibilities between cloud providers and users.

We aimed to bridge the gap between awareness and action, giving stakeholders the tools and knowledge they need.

How the “toxic cloud trilogy” plays out

In the Tenable Cloud Risk Report 2024, we examine three critical factors that expose cloud workloads to significant threats, collectively known as the “toxic cloud trilogy.”

1. Critical vulnerabilities remained unremediated after 30 days

Cloud-based software often has flaws that attackers abuse so they can gain unauthorized access. This enables them to steal sensitive data or disrupt services. It might seem like published CVEs should be simple for cybersecurity teams to handle. But our study found that lots of high-risk vulnerabilities were untouched a month after the publishing of a CVE.

So, why does it take so long?

In some cases, there are many cooks in the kitchen and “ownership” of the vulnerability might be unclear. With several teams involved—each with discrete tasks—such as vulnerability management, application security, DevSecOps, and so forth, there’s significant overhead.

Some organizations looking to save time might make things more complex when they try to “batch the patch”—essentially delaying the fix until every element is ready. The approach might make sense from a time management standpoint but it leaves a company vulnerable.

2. Excessive permissions are widespread

An alarming 87% of human identities in AWS have critical or high excessive permissions, giving attackers an unfettered route to target credentials. Identity and access management (IAM) is already a sensitive area and this excessive permissioning should raise the alert level for cloud security teams.

The key here is that we know about overprivileged human identities. They’re not clouded in mystery. They’re the central element in breaches based on application vulnerabilities and they’re all part of the same IAM system.

The Tenable Cloud Risk Report 2024 shows numerous instances of excessive permissions in both human and non-human identities. In addition, we saw that organizations grant human identities considerably more risky excessive permissions than their non-human counterparts. As we noted, excessive permissions within AWS was a significant issue (see the chart for the detail).

Human and non-human identity permissions in AWS

Human and non-human identity permissions in AWS

(Source: Tenable Cloud Risk Report 2024, October 2024)

The key question is this: Why are organizations more likely to assign excessive privileges to human identities? There are probably many reasons. Maybe a project manager saw an urgent business need but, after the need passed, the permissions weren’t downgraded. It’s also possible that developers lean toward programmatic, IAM role-based templates to define access for non-human identities.

We could probably rationalize any number of reasons. But there is an obvious lesson here. Leaders in security and IT should break down the silos between their IAM and security teams. They should be working closely together.

3. Public exposure provides an initial entry points for attackers

When you think of “public exposure,” an eager audience waiting for a performer to take the stage comes to mind. But with cloud infrastructure, there’s no stage or performance. It’s just databases, websites, email servers and other online services made available to external parties on public networks to help improve efficiency so everyone can get work done.

That carries significant risk, especially when an asset is made unintentionally public accompanied by excessive permissions or by a vulnerability — or both. And if the asset contains sensitive data, it’s many times worse.

Organizations should know whether an asset is configured as public (and why). Alongside that, for publicly exposed cloud storage, they need to be able to discover and classify sensitive data contained within that asset — including the people that can access it and how they use the data. This approach enables the prioritization of remediation measures.

In an era of alarming statistics, here’s another couple to add to your collection. Our research found that 96% of organizations have public-facing cloud assets and 29% of organizations have public-facing storage buckets.

With numbers like this, it’s critical to know if this exposure is due to a misconfiguration like overprivileged access. If it’s an oversight, business drivers like time-to-market might be to blame. Maybe there’s a lack of cloud security personnel. Or there might be a long-delayed need to implement guardrails, policies and visibility. Either way, organizations need context and tools to monitor and close exposures, and then downgrade to minimal permissions.

Takeaways

The Tenable Cloud Risk Report 2024 identifies the root causes and structural issues that make cloud security more complex and challenging. Some of the central issues include:

  1. Shared responsibility: Cloud security requires close collaboration between providers and users to mitigate risks. Cloud providers must ensure their platforms are secure by design, while users must properly configure and manage their resources to prevent exposure.
  2. Proactive security: Organizations must prioritize regular audits to identify weaknesses, invest in employee training to prevent human errors, and develop robust incident response plans to minimize damage during breaches.
  3. Cost of neglect: Neglecting cloud vulnerabilities can lead to severe financial losses and reputational harm. On average, the cost of a data breach added up to $4.88 million in 2024, according to the IBM Cost of a Data Breach Report 2024 — an increase of 10% from the previous year, highlighting the steep price of inaction.

The report underscores the growing complexity of cloud security threats. By understanding and addressing the risk factors highlighted in the “toxic cloud trilogy,” organizations can protect their systems and data while continuing to reap the benefits of cloud technology.

The Tenable Cloud Risk Report 2024 is available for download here.

About the Author

Shai Morag is Tenable’s chief product officer, with more than 25 years of experience in product management, technology leadership and senior executive roles. He was formerly CEO of Ermetic, which Tenable acquired in 2023. Before Ermetic, Shai was CEO of Secdo and Integrity-Project. He also served for 10 years as an officer in the Israeli Defense Forces Intelligence Corps Unit 8200.

Read Entire Article