More than one-third of cloud environments are critically exposed, says Tenable

The flaws

Overall, the study said, 74% of organizations had publicly exposed storage, some of which included sensitive data. The cause of this exposure was often unnecessary or excessive permissions. And, it said, “as organizations ramp up their use of cloud-native applications so, too, does the amount of sensitive data they store there increase — including customer and employee information and business IP. Hackers are motivated to get at such cloud-stored data.”  Hence many of the reports of ransomware attacks targeting cloud storage during the reporting period aimed at public cloud resources with excessive access privileges and could have been prevented.

A breakdown of exposed storage telemetry revealed that 39% of organizations have public buckets, 29% have either public or private buckets with overprivileged access, and 6% have public buckets with overprivileged access.

Storage isn’t the only issue, however. A disturbing 84% of organizations have unused or longstanding access keys with critical or high severity excessive permissions, which, the study said, “have played major roles in numerous identity-based attacks and compromises.” It cited the MGM Resorts data breach, the Microsoft email hack, and the FBot malware targeting web servers, cloud services, and software-as-a-service, which achieves persistency and propagates on AWS via AWS IAM (identity and access management) users as three examples of how the keys could be abused.

“Core to IAM risks are access keys and their assigned permissions; combined, they are literally the keys to the kingdom of cloud-stored data,” it noted.

Add in the fact that 23% of cloud identities on the major hyperscalers (Amazon Web Services, Google Cloud Platform, and Microsoft Azure), both human and non-human, have critical or high severity excessive permissions, and you have a recipe for disaster.

This situation is in part down to human nature, according to Scott Young, principal advisory director at Info-Tech Research Group.