Nearly half (46%) of organizations have unmanaged users with long-lived credentials in cloud services, putting them at high risk of data breaches, according to Datadog’s State of Cloud Security 2024 report.
Long-lived credentials are authentication tokens or keys in the cloud that remain valid for a long time or do not. They are a major cause of cloud breaches, with attackers having a long window to successfully compromise these credentials.
They can also enable attackers to achieve persistent access, with the same access and privileges as the original owner.
The new Datadog report found that long-lived credentials are widespread across all major cloud service providers, including Google Cloud, Amazon Web Services (AWS) and Microsoft Entra.
Many of these credentials are also old and even unused, with 60% of Google Cloud service accounts, 60% of AWS Identity and Access Management (IAM) users and 46% of Microsoft Entra ID applications having an access key older than one year.
Read now: Cloud Breaches Impact Nearly Half of Organizations
Commenting on the findings, Andrew Krug, Head of Security Advocacy at Datadog, warned that it is unrealistic for organizations to expect that long-lived credentials can be securely managed, and firms need a strategy to mitigate these risks.
“In addition to long-lived credentials being a major risk, the report found that most cloud security incidents are caused by compromised credentials. To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use,” he commented.
Risky Cloud Permissions Prevalent
The report also found that 18% of AWS EC2 instances and 33% of Google Cloud VMs have sensitive permissions to a project. These permissions put organizations at higher risk of damaging breaches because they enable any attacker who compromises the workload to steal associated credentials and access the cloud environment.
Additionally, 10% of third-party integrations have risky cloud permissions, allowing the vendor to access all data in the account or to take over the whole account.
The research also identified that 2% of third-party integration roles do not enforce the use of External IDs, which allows an attacker to compromise them through a "confused deputy" attack. This is where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.
Encouragingly, Datadog found that the adoption of cloud guardrails has increased in the past year. For example, 79% of S3 buckets are covered by an account-wide or bucket-specific S3 Public Access Block, up from 73% in 2023.
This trend is due to cloud providers starting to enable guardrails by default, the vendor said.