38% of organizations face critical exposure risk

The Tenable Cloud Risk Report 2024 highlights the current risks associated with cloud environments. The report indicates that 38% of organizations globally are facing critical exposures due to various security shortcomings. These organizations are vulnerable to a combination of highly privileged, critically vulnerable, and publicly exposed cloud workloads, known as the “toxic cloud triad.” These vulnerabilities could potentially lead to cyberattacks resulting in application disruptions, system takeovers, and data breaches.

Among the common issues identified in the report are high-risk entitlements, misconfigurations, and vulnerabilities in identities, storage, workloads, and containers. Key findings from the report include: 

• 84.2% of organizations have unused or longstanding access keys with excessive permissions.
• 23% of cloud identities have critical or high severity excessive permissions.
• 74% of organizations have publicly exposed storage. 

Security leaders discuss the “toxic cloud triad”

Rom Carmel, Co-Founder and CEO at Apono:

“The “toxic cloud triad” poses a significant risk to business operations, increasing the potential for system takeovers, DDoS attacks, and ransomware incidents. It is crucial for businesses operating primarily in the cloud to implement best practices such as least-privilege access policies, just-in-time access, and continuous vulnerability management to mitigate these risks.

“To address the potential consequences of a data breach and minimize financial impact, organizations should focus on monitoring and remedying misconfigurations, over-privilege, and critical vulnerabilities in cloud environments. Implementing zero trust strategies and enforcing access management can significantly reduce the impact of a potential incident.”

Jason Soroko, Senior Fellow at Sectigo:

“The “toxic cloud triad” combines publicly exposed cloud workloads, critical vulnerabilities, and excessive privileges, requiring organizations to deploy these technologies safely and securely. To minimize financial impacts from cloud risks, companies should invest in proactive security measures, including comprehensive cloud security policies, regular security audits, and employee training programs.

“Integrating security into every layer of cloud infrastructure management, adopting DevSecOps practices, and leveraging automation tools for security tasks are crucial steps in maintaining robust security while ensuring flexibility in cloud environments.”

Mr. Ratan Tipirneni, President & CEO at Tigera:

“The “toxic cloud triad” can leave businesses vulnerable to threats like data exfiltration and ransomware. Implementing solutions like vulnerability scanning, admission control, and security posture management can help mitigate risks and enhance preparedness for potential breaches.

“By deploying security guardrails, companies can balance cloud flexibility with stringent security measures, empowering developer teams to set security policies while protecting against potential threats.”

Darren Guccione, CEO and Co-Founder at Keeper Security:

“The “toxic cloud triad” creates dangerous situations for businesses, leading to potential breaches and financial losses. Prioritizing proactive security measures, regular audits, and employee training are essential in mitigating risks.

“Investing in security tools, continuous monitoring, and a zero-trust security architecture can help minimize the financial impact of data breaches and ensure business resilience.”