AI use sparks new security fears: Tenable
The report found that 70% of AI workloads across AWS, Azure and GCP contain at least one unremediated critical vulnerability, posing increased security risks for organisations in Singapore and Southeast Asia as AI adoption accelerates.
AI workloads, with their vast training datasets and model development processes, are an increasingly attractive target for threat actors. The study found that 77% of organisations using Google's Vertex AI Workbench had at least one notebook instance configured with an overprivileged default service account, which could allow privilege escalation and lateral movement across cloud environments.
These risks are increasingly top-of-mind for regulators across Southeast Asia. In Singapore, the Cybersecurity Act and Monetary Authority of Singapore's (MAS) Technology Risk Management Guidelines mandate stringent cloud and AI security controls. Indonesia's PP 71 and Otoritas Jasa Keuangan (OJK) regulations require secure cloud usage and local data storage for financial institutions, while Malaysia's Risk Management in Technology (RMiT) framework sets out strict cloud risk practices for banks. Thailand's Personal Data Protection Act (PDPA) and Bank of Thailand (BOT) guidelines emphasise access controls and transparency, and the Philippines' Data Privacy Act and Bangko Sentral ng Pilipinas (BSP) regulations call for data classification, strong authentication and robust third-party governance.
As these regulatory frameworks evolve, organisations must embed security early into AI development to ensure compliance and mitigate emerging cloud risks.
Tenable's research also shows broader progress in cloud risk management. Toxic cloud trilogies, workloads that are publicly exposed, critically vulnerable, and highly privileged, fell to 29% of organisations surveyed, a nine-point improvement from 2024. Tenable's researchers attribute the nine-point decline to sharper risk-prioritisation practices and wider use of cloud-native security tooling, yet warn that even a single trilogy provides attackers with a fast lane to sensitive data.
Identity remains the foundation of a secure cloud environment. The report finds that 83% of AWS users have configured at least one identity provider (IdP), a best practice for securing human and service identities. Yet, the presence of identity-based risks persists. Credential abuse remains the most common initial access vector, implicated in 22% of breaches, underscoring that strong multi-factor authentication (MFA) enforcement and least privilege principles are critical to meet regulatory expectations and protect sensitive data.
'Organisations have made real strides in tackling toxic cloud risks, but the growing adoption of AI workloads is introducing a fresh layer of complexity,' said Ari Eitan, director of Cloud Security Research at Tenable.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Star
2 days ago
- The Star
Microsoft signs deal to power Premier League's AI tools
A five-year 'strategic partnership' will see the UK football league, the world's most watched, migrate its 'core technology infrastructure' to Microsoft's Azure cloud-computing service, the company and league said in a statement. — AP Microsoft Corp has signed a cloud computing deal with the Premier League, a pact that will let the software company tout its AI technology to a captive audience of sports fans. A five-year "strategic partnership' will see the UK football league, the world's most watched, migrate its "core technology infrastructure' to Microsoft's Azure cloud-computing service, the company and league said in a statement on July 1. The Premier League's mobile apps and website will feature an artificially intelligent chatbot powered by Microsoft's AI services, as will the league's fantasy games. "This is the future of football,' Microsoft UK chief Darren Hardman said in an interview with Bloomberg Television. "It's data-driven drama, it's smarter stats, it's deeper stories, it's a better connection of the fan to what's going on.' He and Will Brass, the Premier League's chief commercial officer, declined to discuss the financial terms of the deal. Oracle Corp previously provided cloud-computing services to the league, but the arrangement expired at the end of the season earlier this year. Technology and sports marketing tie-ins are a crowded field, particularly in global football. Microsoft's Copilot brand is the sponsor for Beyond Stats, a service that provides game and team analysis for fans of Spain's top football division, La Liga. The stats that pop up during Germany's Bundesliga are festooned with the Amazon Web Services logo. Such deals are prized by technology companies because sports is the rare entertainment that people still watch live. In the 12 years since Microsoft struck a deal with the National Football League to place its tablets in the hands of team coaches, the tech industry has looked for creative ways to go beyond plastering their brand names on league signage. – Bloomberg
The Sun
4 days ago
- The Sun
AI use sparks new security fears: Tenable
PETALING JAYA: Tenable, the exposure management company, revealed in its 2025 Cloud Security Risk Report released yesterday that cloud workloads supporting artificial intelligence (AI) initiatives are more vulnerable than traditional workloads. The report found that 70% of AI workloads across AWS, Azure and GCP contain at least one unremediated critical vulnerability, posing increased security risks for organisations in Singapore and Southeast Asia as AI adoption accelerates. AI workloads, with their vast training datasets and model development processes, are an increasingly attractive target for threat actors. The study found that 77% of organisations using Google's Vertex AI Workbench had at least one notebook instance configured with an overprivileged default service account, which could allow privilege escalation and lateral movement across cloud environments. These risks are increasingly top-of-mind for regulators across Southeast Asia. In Singapore, the Cybersecurity Act and Monetary Authority of Singapore's (MAS) Technology Risk Management Guidelines mandate stringent cloud and AI security controls. Indonesia's PP 71 and Otoritas Jasa Keuangan (OJK) regulations require secure cloud usage and local data storage for financial institutions, while Malaysia's Risk Management in Technology (RMiT) framework sets out strict cloud risk practices for banks. Thailand's Personal Data Protection Act (PDPA) and Bank of Thailand (BOT) guidelines emphasise access controls and transparency, and the Philippines' Data Privacy Act and Bangko Sentral ng Pilipinas (BSP) regulations call for data classification, strong authentication and robust third-party governance. As these regulatory frameworks evolve, organisations must embed security early into AI development to ensure compliance and mitigate emerging cloud risks. Tenable's research also shows broader progress in cloud risk management. Toxic cloud trilogies, workloads that are publicly exposed, critically vulnerable, and highly privileged, fell to 29% of organisations surveyed, a nine-point improvement from 2024. Tenable's researchers attribute the nine-point decline to sharper risk-prioritisation practices and wider use of cloud-native security tooling, yet warn that even a single trilogy provides attackers with a fast lane to sensitive data. Identity remains the foundation of a secure cloud environment. The report finds that 83% of AWS users have configured at least one identity provider (IdP), a best practice for securing human and service identities. Yet, the presence of identity-based risks persists. Credential abuse remains the most common initial access vector, implicated in 22% of breaches, underscoring that strong multi-factor authentication (MFA) enforcement and least privilege principles are critical to meet regulatory expectations and protect sensitive data. 'Organisations have made real strides in tackling toxic cloud risks, but the growing adoption of AI workloads is introducing a fresh layer of complexity,' said Ari Eitan, director of Cloud Security Research at Tenable.
The Star
26-06-2025
- The Star
Amazon loses an AWS generative AI boss as tech talent shuffle heats up
A logo for Amazon Web Services (AWS) is seen at the Viva Technology conference dedicated to innovation and startups at Porte de Versailles exhibition center in Paris, France, June 12, 2025. REUTERS/Benoit Tessier SAN FRANCISCO (Reuters) -Amazon's AWS recently lost a key vice president helping oversee generative artificial intelligence development as well as the company's Bedrock service, as the competition for talent heats up. Vasi Philomin told Reuters in an email that he left Amazon for another company, without providing specifics. A company spokesperson confirmed that Philomin had recently left after eight years with Amazon. Philomin helped lead generative AI efforts and product strategy, and oversaw foundation models known as Amazon Titan. The spokesperson said Rajesh Sheth, a vice president previously overseeing Amazon Elastic Block Store, had assumed some of Philomin's responsibilities. Philomin left Amazon earlier in June. In his biography, Philomin said he helped create and lead Amazon Bedrock, a hub for using multiple AI models and one of AWS's premier products in its battle for AI supremacy. He was a frequent speaker at AWS events, including Amazon's annual cloud computing conference in Las Vegas. An Amazon spokesman noted that there are other vice presidents at AWS who also work on generative AI projects. Amazon is working to bolster its reputation in AI development, after rivals like OpenAI, and Google have taken an early lead, particularly with consumer-focused models. The Seattle-based online retailer and technology powerhouse has invested $8 billion in AI startup Anthropic and integrated its Claude software into its own products including a new revamped version of voice assistant Alexa that it's rolling out to customers this year. In December, Amazon introduced its Nova AI models which provide for text, video and image generation. Earlier this year, it added to the lineup with a version called Sonic that can more readily produce natural-sounding speech. Companies are employing creative techniques to hire top AI talent, including using sports industry data analysis to help identify undiscovered talent, Reuters reported last month. As a result, compensation has skyrocketed for some. However, as Amazon races to produce more advanced AI, it said it expects its own success will lead to fewer corporate jobs, according to a memo from CEO Andy Jassy last growth limits will be driven in particular by so-called agentic AI, which can perform tasks with minimal or even no additional input from people. "As we roll out more Generative AI and agents, it should change the way our work is done. We will need fewer people doing some of the jobs that are being done today and more people doing other types of jobs," Jassy wrote. (Reporting by Greg Bensinger; Editing by David Gregorio)
