Cloud-based systems have revolutionized how organizations operate, making data accessible from anywhere and providing the necessary infrastructure for growth. However, this convenience comes with significant security risks, particularly those associated with unmanaged long-lived cloud credentials. These credentials, such as authentication tokens or keys, remain valid for extended periods or indefinitely, creating a prime target for cyber attackers. The increasing reliance on cloud services combined with the widespread issue of outdated, unmanaged credentials paints a concerning picture for modern cloud security practices.
The Prevalence of Unmanaged Long-Lived Credentials
A concerning statistic from Datadog’s State of Cloud Security 2024 report highlights that nearly half of organizations have unmanaged long-lived credentials. Specifically, these credentials are rampant across major cloud service providers, including Google Cloud, Amazon Web Services (AWS), and Microsoft Entra. For instance, 60% of Google Cloud service accounts, 60% of AWS Identity and Access Management (IAM) users, and 46% of Microsoft Entra ID applications possess access keys that are older than one year.
The widespread presence of these outdated credentials is not only a sign of poor management but also a glaring vulnerability. They provide an easy entry point for attackers, allowing them to infiltrate and exploit an organization’s cloud systems over extended periods. The longer the credentials remain unmanaged, the greater the likelihood of unauthorized data access and persistent attacks, which can lead to significant data breaches and operational disruptions. An organization can potentially face devastating consequences by allowing these vulnerabilities to persist, making it imperative to address this issue as a priority.
The Risks of Persistent Unauthorized Access
Unmanaged long-lived credentials are particularly dangerous because they provide a prolonged window for exploitation. Attackers with access to these credentials can covertly operate within an organization’s cloud environment, gathering sensitive data and compromising systems without immediate detection. This scenario allows cybercriminals to escalate their privileges, move laterally across the network, and establish backdoors for future attacks.
The extended access period afforded by long-lived credentials grants attackers ample time to plan and execute their strategies meticulously. For instance, they can exfiltrate data in small batches to evade detection, causing lasting and sometimes irreversible harm to the organization’s reputation and financial standing. The ability to maintain access over prolonged periods makes it significantly more challenging to identify and mitigate the attack, further underlining the critical nature of addressing these security weaknesses.
Identifying and Mitigating Risky Permissions
Beyond the threat posed by long-lived credentials, the Datadog report also sheds light on the prevalence of risky permissions within cloud environments. Approximately 18% of AWS EC2 instances and 33% of Google Cloud VMs are configured with sensitive permissions that can be exploited by attackers. Such sensitive permissions allow compromised workloads to exfiltrate credentials, gaining unauthorized control over the cloud environment.
Moreover, the report highlights that 10% of third-party integrations also bear risky permissions. Vendors sometimes have excessive access, leading to potential full account takeovers if their security is compromised. The significant percentage of risky permissions underscores the critical need for stringent access control measures to minimize vulnerabilities. Organizations must establish rigorous protocols to audit and limit permissions, ensuring that only necessary access is granted and regularly reviewed.
External IDs and “Confused Deputy” Attacks
The threat landscape is further complicated by “confused deputy” attacks, a scenario where an entity with insufficient permissions manipulates a more privileged one to perform unauthorized actions. The report reveals that 2% of third-party integration roles fail to enforce the use of External IDs, making them susceptible to these types of attacks. An entity without adequate permissions can exploit a more privileged entity by convincing it to execute actions on its behalf, effectively bypassing security protocols.
This type of attack can be particularly damaging, as it can lead to unauthorized data access, privilege escalation, and significant security breaches. Organizations must therefore ensure that External IDs are mandatorily enforced for third-party integrations to mitigate this risk. Instituting proper checks and balances can help curb these exploits and protect the integrity of cloud systems.
The Shift Towards Short-Lived Credentials and Modern Authentication
To combat these vulnerabilities, there is a growing consensus among security experts on the need to transition from long-lived credentials to short-lived ones. Short-lived credentials, such as one-time use tokens, reduce the risk window for exploitation as they expire quickly, forcing continuous re-authentication and making them less attractive to attackers.
Andrew Krug, Head of Security Advocacy at Datadog, emphasizes that securely managing long-lived credentials is impractical due to their inherent risks. Instead, he advocates for modern authentication mechanisms that include multi-factor authentication (MFA) and single sign-on (SSO) to ensure that only authorized users gain access to cloud systems. These methods, coupled with diligent monitoring of API modifications and other potential entry points, provide a more robust security posture and significantly reduce the risk of long-lived credential exploitation.
Improvement in Cloud Guardrails Deployment
Cloud-based systems have fundamentally transformed how organizations function, enabling data accessibility from virtually anywhere and furnishing the essential infrastructure for business expansion. However, this convenience doesn’t come without its own set of challenges—most notably, significant security risks. Among these risks, the issue of unmanaged long-lived cloud credentials stands out. These credentials, such as authentication tokens or API keys, are often valid for extended periods or even indefinitely. This longevity makes them an attractive target for cyber attackers, who can exploit them for prolonged access to sensitive information.
The growing dependency on cloud services exacerbates this issue, as more organizations integrate cloud solutions into their operations. Outdated and unmanaged credentials become widespread problems, posing even greater threats to cloud security. When these credentials go unchecked, they create vulnerabilities that are difficult to monitor or mitigate, leaving enterprises exposed to potential breaches. The ease of cloud integration must be balanced with stringent security measures, ensuring that these credentials are regularly updated and thoroughly managed. Only then can organizations fully leverage cloud benefits without compromising their security posture.
