Latest news with #AriEitan
Bangkok Post
09-07-2025
- Business
- Bangkok Post
Cloud security gaps threaten regional businesses
Businesses across Southeast Asia are facing a silent crisis of cloud vulnerabilities, according to the 2025 Cloud Security Risk Report by Tenable, a Nasdaq-listed cybersecurity exposure management company. The report uncovers alarming security gaps in cloud environments, from misconfigured storage exposing sensitive data to embedded secrets in workloads, that could lead to data breaches, financial losses and regulatory repercussions, the company says. The findings are particularly relevant for organisations operating in regulated sectors or managing cross-border data flows. In Singapore, where data protection and cybersecurity are tightly governed under frameworks such as the Cybersecurity Act, Personal Data Protection Act (PDPA) and Monetary Authority of Singapore (MAS) technology risk management guidelines, poor visibility into cloud assets and misconfigurations can have serious compliance repercussions. Similarly, Indonesia's Personal Data Protection Law, the PDPA in Thailand and Malaysia, and the Philippines' Data Privacy Act all impose stringent requirements on data protection, cross-border transfers and cloud security. "Together, these regulations highlight the urgent need for organisations across Southeast Asia to prioritise strong cloud governance and security to meet evolving compliance and cybersecurity demands," said the report. The research reveals a significant and widespread risk, finding that 9% of all analysed cloud storage resources contain restricted or confidential information. In environments housing vast volumes of data, this seemingly small percentage translates to millions of sensitive records potentially exposed. Even more alarming, nearly one in 10 publicly accessible storage locations holds sensitive data, driven by common misconfigurations, weak access controls and limited visibility. This can expose organisations across industries to serious security and compliance threats in line with local or regional data residency expectations. The risks do not end there. Tenable's findings show that 54% of organisations with AWS ECS (Amazon Web Services Electronic Clearing Services) task definitions have a secret embedded within them, exposing businesses to the threat of full cloud environment takeovers or exploitation activities like unauthorised crypto mining. Even within AWS EC2 instances, 3.5% contain credentials embedded in user data, giving attackers a clear pathway to escalate privileges and compromise environments. "Secrets are the keys to the kingdom, yet many organisations are unknowingly leaving them unguarded across their cloud infrastructures," said Ari Eitan, director of cloud security research at Tenable. "In today's threat landscape, complacency is costly. Organisations must treat secrets with the highest level of security hygiene to prevent attackers from gaining footholds that can spiral into full-blown breaches." With Singapore continuing to scale up cloud adoption, supported by national initiatives like the Infocomm Media Development Authority's Cloud Outage Incident Response framework and regional efforts to enable secure digital economies, the report highlights the urgent need for a proactive, risk-driven security strategy. "The cloud offers incredible agility, but without strong controls and continuous monitoring, it also opens the door to significant exposures," Mr Eitan said. "Understanding where your sensitive data and credentials are and who can access them must now be a board-level priority."
Web Release
24-06-2025
- Web Release
Tenable Research Finds Rampant Cloud Misconfigurations Exposing Critical Data and Secrets
Tenable®, the exposure management company, today released its 2025 Cloud Security Risk Report, which revealed that 9% of publicly accessible cloud storage contains sensitive data. Ninety-seven percent of such data is restricted or confidential, creating easy and prime targets for threat actors. Cloud environments face dramatically increased risk due to exposed sensitive data, misconfigurations, underlying vulnerabilities and poorly stored secrets – such as passwords, API keys and credentials. The 2025 Cloud Security Risk Report provides a deep dive into the most prominent cloud security issues impacting data, identity, workload and AI resources and offers practical mitigation strategies to help organizations proactively reduce risk and close critical gaps. Key Findings From The Report Include: ? Secrets Found in Diverse Cloud Resources, Putting Organizations at Risk: Over half of organizations (54%) store at least one secret directly in Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions — creating a direct attack path. Similar issues were found among organizations using Google Cloud Platform (GCP) Cloud Run (52%) and Microsoft Azure Logic Apps workflows (31%). Alarmingly, 3.5% of all AWS Elastic Compute Cloud (EC2) instances contain secrets in user data — major risk given how widely EC2 is used. ? Cloud Workload Security Is Improving, But Toxic Combinations Persist: While the number of organizations with a 'toxic cloud trilogy' – a workload that is a publicly exposed, critically vulnerable, and highly privileged – has decreased from 38% to 29%, this dangerous combination still represents a significant and common risk. ? Using Identity Providers (IdPs) Alone Doesn't Eliminate Risk: While 83% of AWS organizations are exercising best practices in using IdP services to manage their cloud identities, overly-permissive defaults, excessive entitlements, and standing permissions still expose them to identity-based threats. 'Despite the security incidents we have witnessed over the past few years, organizations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations,' said Ari Eitan, Director of Cloud Security Research, Tenable. 'The path for attackers is often simple: exploit public access, steal embedded secrets or abuse overprivileged identities. To close these gaps, security teams need full visibility across their environments and the ability to prioritize and automate remediation before threats escalate. The cloud demands continuous, proactive risk management, and not reactive patchwork.' The report reflects findings by the Tenable Cloud Research team based on telemetry from workloads across diverse public cloud and enterprise environments, analyzed from October 2024 through March 2025. To download the report today, please visit:
Techday NZ
19-06-2025
- Techday NZ
Poor cloud security leaves secrets & data at risk, report finds
A new report from Tenable Research has detailed the ongoing risks facing organisations due to poor cloud security practices and widespread misconfigurations. The 2025 Cloud Security Risk Report analyses data from global cloud systems spanning October 2024 to March 2025. It highlights significant vulnerabilities related to data exposure, identity management, cloud workloads, and the use of artificial intelligence resources. The findings indicate that sensitive information and credentials remain at risk due to inconsistent security implementations across major public cloud providers. Exposure of sensitive data According to Tenable Research, 9% of publicly accessible cloud storage contains sensitive data, and 97% of this content is classified as restricted or confidential. These circumstances increase the risk of exploitation, particularly when misconfigurations or embedded secrets are also present. The report notes that cloud environments are subject to significantly heightened risk from exposed data, misconfigured access, and the insecure storage of secrets such as passwords, API keys, and other credentials. These issues are compounded by underlying vulnerabilities and inconsistent security practices across organisations using public cloud providers like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Secrets and workload security The assessment documented that over half of organisations (54%) store at least one secret directly within AWS Elastic Container Service (ECS) task definitions, creating a direct attack path for threat actors. On GCP Cloud Run, similar patterns were observed, with 52% of organisations found to be storing secrets within resources, and 31% on Microsoft Azure Logic Apps workflows. Furthermore, 3.5% of all AWS Elastic Compute Cloud (EC2) instances were identified as containing secrets within user data. AWS EC2's broad adoption means this level of exposure represents a substantial risk across the industry. The report points to some improvement in cloud workload security: the prevalence of the so-called "toxic cloud trilogy"-a situation in which a workload is publicly exposed, critically vulnerable, and endowed with high privilege-has decreased from 38% to 29%. However, Tenable researchers note that this combination continues to represent a significant risk for businesses. Issues in identity and access management One significant finding relates to the use of Identity Providers (IdPs). The research indicates that 83% of AWS organisations employ IdP services to manage cloud identities, which is regarded as best practice. Despite this, risks persist due to permissive default settings, excessive entitlements, and lingering standing permissions that give rise to identity-based threats. "Despite the security incidents we have witnessed over the past few years, organizations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations," said Ari Eitan, Director of Cloud Security Research, Tenable. The report suggests that attackers are often able to find entry points with relative ease, exploiting public access, extracting embedded secrets, or misusing over-privileged identities. Recommendations and risk management "The path for attackers is often simple: exploit public access, steal embedded secrets or abuse overprivileged identities. To close these gaps, security teams need full visibility across their environments and the ability to prioritize and automate remediation before threats escalate. The cloud demands continuous, proactive risk management, and not reactive patchwork," added Eitan. Tenable's analysis is based on telemetry collected from a diverse array of public cloud and enterprise environments and provides detailed insight into the cloud security challenges currently faced by businesses. The report offers practical recommendations to help security professionals reduce risks, mitigate vulnerabilities, and address gaps before they can be exploited. The findings underline the necessity for organisations to adopt unified cloud exposure management, increase visibility across their cloud assets, and take a systematic approach to automation and remediation of security risks, particularly as cloud adoption and reliance on AI-driven resources continue to rise.
