The surge in cloud adoption for infrastructure and services by enterprises has introduced new layers of complexity and risk. According to the Datadog State of Cloud Security 2024 report, one area that poses a significant threat is the management of long-lived credentials within cloud environments. As organizations increasingly rely on platforms like AWS, Azure, and Google Cloud, outdated and unmanaged credentials have become a critical vulnerability. These long-lived credentials, which do not expire automatically, are particularly susceptible to unauthorized access in the event of a compromise.
Moreover, these obsolete credentials are often embedded within various assets, including source codes and container images. Once outdated, they create numerous opportunities for being leaked or accidentally exposed. The Datadog report provides alarming figures: around 46% of organizations still maintain unmanaged users with long-lived credentials. More specifically, outdated access keys over a year old are present in 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications. Despite existing cloud security tools and the increasing adoption of automated security rules known as cloud guardrails, such outdated credentials remain a glaring security blind spot.
Challenges in Managing Cloud Security
In addition to outdated credentials, the Datadog report highlights the broad reach of overly permissive configurations within cloud ecosystems. These configurations pose a significant threat by granting excessive permissions that can be exploited if a cloud workload is breached. For instance, some 18% of AWS EC2 instances and 33% of Google Cloud VMs are configured with sensitive permissions. Such permissions could potentially allow an attacker to gain further access within the compromised environment, presenting opportunities to steal additional credentials and expand their reach.
Third-party integrations compound these security risks further. Cloud environments often leverage multiple third-party services, and the report found that more than 10% of these integrations held risky cloud permissions. In some cases, they entirely lacked the enforcement of External IDs, leaving them exposed to confused deputy attacks. These are particularly concerning because they exploit trust relationships to gain unauthorized access, amplifying the risk landscape significantly.
Despite advancements in cloud security tools and methodologies, the reliance on outdated long-lived credentials remains a critical issue. While notable progress has been made, such as 79% of Amazon S3 buckets now having public access blocks enabled, the security vulnerabilities posed by long-lived credentials persist. These vulnerabilities not only provide an entry point for attackers but also facilitate their lateral movements within the target systems, making the attack harder to detect and mitigate.
Importance of Modern Authentication Mechanisms
The Datadog report notably underscores the need for modern authentication mechanisms to counter these threats effectively. One significant recommendation is leveraging short-lived credentials instead of long-lived ones. Short-lived credentials significantly reduce the time window available for potential attackers to exploit them, thereby enhancing overall security. Implementing such mechanisms can significantly mitigate the risks associated with credential leaks or accidental exposures.
Actively monitoring API changes within cloud environments is another critical aspect of robust cloud security. By keeping a vigilant eye on changes, organizations can detect and respond to potential threats in a timely manner. Andrew Krug, Head of Security Advocacy at Datadog, emphasized the unrealistic expectations surrounding the secure management of long-lived credentials. He pointed out that most cloud security incidents stem from compromised credentials, suggesting that advanced automated solutions for credential management should become a priority.
Ultimately, organizations need to adopt better security practices and continuously update their strategies to cope with evolving threats. This includes integrating automated solutions that enforce security best practices and ensure timely expiration and rotation of credentials. Reducing the reliance on long-lived credentials by adopting automation and enforcing tighter permissions represents necessary strides to protect sensitive data effectively.
Continuous Improvement for Cloud Security
The growing adoption of cloud infrastructure and services by enterprises has added new layers of complexity and risk. The Datadog State of Cloud Security 2024 report highlights a significant threat: the management of long-lived credentials in cloud environments. As companies increasingly rely on AWS, Azure, and Google Cloud, outdated and unmanaged credentials have become a critical vulnerability. These long-lived credentials, which do not automatically expire, are especially prone to unauthorized access if compromised.
Additionally, these obsolete credentials are often embedded in various assets like source codes and container images. Once outdated, they create numerous opportunities for exposure or leaks. The Datadog report provides concerning statistics: around 46% of organizations still maintain unmanaged users with long-lived credentials. Specifically, more than a year old access keys are present in 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications. Despite available cloud security tools and the rise of automated security measures such as cloud guardrails, these outdated credentials remain a significant security gap.
