23% of cloud identities have too many permissions

Tenable published its report yesterday in Brazil “Tenable Cloud Risk Report 2024”a study that examines the critical risks present in cloud environments. The research was created based on the analysis of information collected from billions of cloud assets across multiple public clouds, all scanned by the Tenable Cloud Security platform. The most alarming fact is that approximately 40% of organizations worldwide are increasingly exposed due to the “cloud toxic triad” – publicly exposed, critically vulnerable and highly privileged cloud workloads. Each of these three misalignments introduces risks to data in the cloud, but the combination of the three dramatically increases the likelihood of exposure, enabling cyber attackers to gain access.

Security gaps caused by misconfigurations, dangerous rights, and vulnerabilities combine to further increase risk in the cloud. The Tenable Cloud Risk Report provides an in-depth analysis of the most pressing cloud security issues observed in the first half of 2024, highlighting areas such as identities and permissions, workloads, storage resources, vulnerabilities, containers, and Kubernetes. It also offers mitigation guidance for organizations looking for ways to limit cloud exposure.

Publicly exposed and highly privileged cloud data leads to data breaches. Critical vulnerabilities increase the likelihood of incidents. The report reveals that a staggering 38% of organizations have cloud workloads that meet all three of these cloud toxic triad criteria, representing a perfect storm of exposures for cyber attackers. When criminals exploit these loopholes, incidents often include application outages, complete system takeovers, and DDoS attacks, which are often associated with ransomware. Scenarios like these can devastate an organization, with the average cost of a single data breach in 2024 approaching $5 million.¹

“As cyber exposures proliferate across the enterprise, enterprise risk has reached an unsustainable level. If before we needed to see to protect, now we need to manage to ensure.”, says Arthur Capella, General Director of Tenable Brasil. “Understanding the toxic cloud triad and other toxic combinations, including knowing which data is at risk of being breached, is essential to effectively addressing the highest priority exposures that have a high potential to cause business risk.”, he added.

Other key findings from the report include:

• 84% of organizations have dangerous access keys to cloud resources: Most organizations (84.2%) have unused or old access keys with excessive critical or high severity permissions, a significant security gap that poses a material risk.
• 23% of cloud identities have critical or high severity excessive permissions: An analysis of Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure reveals that 23% of cloud identities, both human and non-human, have critical or high severity excessive permissions.
• Critical vulnerabilities persist: in particular, the CVE-2024-21626a serious container escape vulnerability that could lead to server host compromise, remained unaddressed in more than 80% of workloads even 40 days after its publication.

• 74% of organizations have publicly exposed storage: 74% of organizations have publicly exposed storage assets, including those where sensitive data resides. This exposure, often due to unnecessary or excessive permissions, has been linked to an increase in ransomware attacks.
• 78% of organizations have Kubernetes API servers that are publicly accessible: of these, 41% also allow inbound access via the Internet. Additionally, 58% of organizations have cluster administrator role bindings, meaning certain users have unfettered control over all Kubernetes environments.

“Our report reveals that an overwhelming number of organizations have access exposures in their cloud workloads that they may not even be aware of,” said Shai Morag, Chief Product Officer at Tenable. “It’s not always about criminals launching new attacks. In many cases, misconfigurations and excessively privileged access pose the greatest risk of data exposure in the cloud. The good news is that many of these security holes can be easily closed once they are known and discovered.”

How to protect yourself and apply mitigation strategies

Strategies for addressing and mitigating cloud risks span an organization’s security culture, technologies, and practices. The report’s findings point to common areas of weakness and, in some cases, self-perpetuating vulnerability. The actions listed below will help organizations overcome “toxic cloud triads” and other gaps and provide cloud security from a position of advantage:

1. Create context-driven habits: Bring together identity, vulnerability, misconfiguration, and data risk information into unified tools. This for accurate visualization, context, and prioritization around cloud security risk. Identifying toxic combinations can drastically reduce the risk.

2. Closely manage access to Kubernetes/containers: Ensure that containers are configured as “privileged” only when absolutely necessary. Adopt Pod Security Standards, such as limiting privileged containers and enforcing access controls. As a principle:

• Restrict inbound access to Kubernetes API servers and ensure that Kubelet settings disable anonymous authentication.
• Review the cluster-admin role bindings, verify that they are used by and need the cluster-admin role; Whenever possible, assign users to a role with lower privileges.

3. Credentials and permissions management: Regularly change credentials, avoid using long-lived access keys and implement Just-in-Time access mechanisms. Regularly audit and adjust permissions so that human and non-human identities can adhere to the principle of least privilege.

4. Prioritize vulnerabilities: Focus remediation efforts on high-risk vulnerabilities, especially those with high Vulnerability Priority Rating (VPR) scores.

5. Minimize exposure: Review public assets to ensure this exposure is necessary and does not compromise sensitive information or critical infrastructure. Keep track of patches and fixes.

Tenable provides an actionable cloud security platform that helps companies quickly identify and close priority security gaps. Gaps in your cloud infrastructure caused by misconfigurations, risky entitlements, and vulnerabilities. Tenable’s technology helps organizations isolate and eradicate cloud exposures at scale for public, private and hybrid cloud environments, across infrastructure, workloads, identities and data, including through AI insights into access, resources and pools of data.

The report reflects the Tenable Cloud Research team’s findings based on telemetry from billions of cloud resources across multiple public cloud repositories, analyzed from January 1 to June 30, 2024.

For more detailed information about the findings, access the link to the full report at: https://pt-br.tenable.com/cyber-exposure/tenable-cloud-risk-report-2024