The Toxic Cloud Triad: The perfect storm for cyber threats

The toxic cloud triad is a trifecta of cloud security risks that could lead to severe data breaches and financial losses.

As organizations continue to move more workloads to the cloud, there are increasing concerns on the risk that comes along with it. While businesses still store critical data on premise, using the cloud to build, run and test new applications could end up having some data publicly exposed.

Cloud storage, for example, is becoming increasingly popular among businesses due to its scalability and seamless integration. However, 74% of organizations apparently still have publicly exposed storage assets, including those in which sensitive data resides, which can lead to increased ransomware attacks.

These are just some of the findings from Tenable’s Cloud Risk Report 2024. The findings of the report are based on a comprehensive analysis of data gathered from billions of cloud assets across multiple public cloud environments, all scanned using the Tenable Cloud Security platform.

According to the report, organizations globally and in the Asia Pacific unknowingly exposed to the “toxic cloud triad,” a trifecta of cloud security risks that could lead to severe data breaches and financial losses. These risks continue to pose challenges to organizations as businesses struggle to cope with misconfigurations, excessive permissions, and critical vulnerabilities.

With rapid cloud adoption, these challenges can open doors to threat actors. The findings from the report reveal that 38% of organizations have at least one publicly exposed, critically vulnerable, and highly privileged cloud workload, forming the toxic cloud triad.

Nigel Ng, Senior Vice President at Tenable APJ believes that the toxic cloud triad is the perfect storm for cyber threats.

“Any organization that collects, maintains, and processes data regardless of size or industry, is at risk of a breach if data is not secured properly. Public exposure opens the door to unauthorized access, while critical vulnerabilities give attackers a way in. Once inside, excessive privileges allow them to escalate their control and potentially take over key systems,” said Ng.

Findings from the report also showed that 84.2% of organizations possess unused or longstanding access keys with critical or high severity excessive permissions. This is a significant security gap that poses substantial risk.

With AWS, Google Cloud and Azure being the most popular cloud service providers in APAC, the research also revealed that 23% of cloud identities on these platforms, be it human or non-human, have critical or high severity excessive permissions.

One vulnerability that persists is CVE-2024-21626. The vulnerability is a severe container escape vulnerability that could lead to the server host compromise. More concerning is the fact that this vulnerability was not remediated in over 80% of workloads even 40 days after its publishing.

At the same time, findings revealed that 78% of organizations have publicly accessible Kubernetes API servers. Of these, 41% allow inbound internet access while 58% of organizations have cluster-admin role bindings. This means that certain users have unrestricted control over all the Kubernetes environments.

Mitigating cloud risks

With the toxic cloud triad bringing more risks to organizations, Tenable suggests that companies adopt strategies that can mitigate the problem. This includes having enhanced cloud visibility to identify and prioritize toxic combinations of risks such as public exposure combined with critical vulnerabilities and excessive permissions.

Organizations also need to regularly audit and limit access to cloud resources based on the principle of least privilege. Rotate access keys frequently and remove those that are no longer in use to reduce the likelihood of credential misuse. Apart from that, organizations need to review and correct misconfigurations that lead to the unintentional exposure of public cloud assets.

Most importantly, businesses need to patch critical vulnerabilities. By prioritizing the remediation of high-risk vulnerabilities, such as CVE-2024-21626, organizations can ensure that critical workloads are regularly updated to minimize exposure.

"The toxic cloud triad is preventable, but firms need to take proactive steps. By improving visibility, limiting privileges, and patching vulnerabilities, businesses in APAC can significantly reduce their cloud security risks. Failing to address these issues has historically resulted in catastrophic breaches, in the past and should not be ignored,” added Ng.