Tenable Cloud Risk Report 2024: APAC Businesses Exposed to “Toxic Cloud Triad”

Tenable®, the exposure management company, has released the “Tenable Cloud Risk Report 2024” highlighting that organisations globally and in the Asia Pacific (APAC) region are unknowingly exposed to the “toxic cloud triad,” a trifecta of cloud security risks that could lead to severe data breaches and financial losses.

The “Tenable Cloud Risk Report 2024” is based on extensive analysis of billions of cloud assets across data gathered from billions of cloud assets across multiple public cloud environments. The data collected during the first half of 2024 (January to June) includes a comprehensive set of cloud workload and configuration information from real-world cloud assets in active production.

The Toxic Cloud Triad 

With the rapid adoption of cloud technology across industries in APAC, the “Tenable Cloud Risk Report 2024” underscores the challenges posed by misconfigurations, excessive permissions, and critical vulnerabilities that open doors to threat actors. The findings reveal that 38% of organisations have at least one publicly exposed, critically vulnerable, and highly privileged cloud workload, forming the toxic cloud triad.

“Any organisation that collects, maintains, and processes data regardless of size or industry, is at risk of a breach if data is not secured properly,” said Nigel Ng, Senior Vice President at Tenable APJ about the findings of the “Tenable Cloud Risk Report 2024.”

He added: “The toxic cloud triad is the perfect storm for cyber threats. Public exposure opens the door to unauthorised access, while critical vulnerabilities give attackers a way in. Once inside, excessive privileges allow them to escalate their control and potentially take over key systems.”

Tenable Cloud Risk Report 2024 Key Findings

Additional key findings from Tenable’s Cloud Research team include:

• 84% of organisations have risky access keys to cloud resources. The majority of organisations (84.2%) possess unused or longstanding access keys with critical or high severity excessive permissions, a significant security gap that poses substantial risk.
• 23% of cloud identities have critical or high severity excessive permissions. Analysis of Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure reveals that 23% of cloud identities, both human and non-human, have critical or high severity excessive permissions.
• Critical vulnerabilities persist. Notably, CVE-2024-21626, a severe container escape vulnerability that could lead to the server host compromise, remained unremediated in over 80% of workloads even 40 days after its publishing.
• 74% of organisations have publicly exposed storage. 74% of organisations have publicly exposed storage assets, including those in which sensitive data resides. This exposure, often due to unnecessary or excessive permissions, has been linked to increased ransomware attacks.
• 78% of organisations have publicly accessible Kubernetes API servers. Of these, 41% also allow inbound internet access. Additionally, 58% of organisations have cluster-admin role bindings, which means that certain users have unrestricted control over all the Kubernetes environments.

Mitigating Cloud Risks 

To combat these risks, Tenable suggests in the “Tenable Cloud Risk Report 2024” several strategies for companies to adopt:

1. Enhance cloud visibility. Utilise cloud security platforms that provide unified visibility across all workloads. Identifying and prioritising toxic combinations of risks such as public exposure combined with critical vulnerabilities and excessive permissions is crucial.
2. Implement least privilege access. Regularly audit and limit access to cloud resources based on the principle of least privilege. Rotate access keys frequently and remove those that are no longer in use to reduce the likelihood of credential misuse.
3. Patch critical vulnerabilities. Prioritise the remediation of high-risk vulnerabilities, such as CVE-2024-21626, and ensure that critical workloads are regularly updated to minimise exposure.
4. Close public exposure gaps. Review and correct misconfigurations that lead to the unintentional exposure of public cloud assets. Ensure that only the essential assets are exposed to external networks.

Ng further stated as regards the “Tenable Cloud Risk Report 2024”: “The toxic cloud triad is preventable, but firms need to take proactive steps. By improving visibility, limiting privileges, and patching vulnerabilities, businesses in APAC can significantly reduce their cloud security risks. Failing to address these issues has historically resulted in catastrophic breaches, in the past and should not be ignored.”