Numerous Organizations Have Exposed, Vulnerable Cloud Workloads

Thirty eight percent of global organizations have at least one publicly exposed, critically vulnerable cloud workload, according to Tenable's Cloud Risk Report 2024. This “toxic cloud triad” highlights the need for enterprises to understand and appropriately manage emerging cloud risks in the cloud, especially in terms of culturalization.

Building a security culture within an organization should start with the regular review and updating of unused or over-permissioned passwords in cloud environments, says Tenable. This approach is critical given that 84% of organizations have unused or over-permissioned passwords, which significantly increases their exposure to identity-based attacks. “Most of these problems could be mitigated by following credential rotation best practices recommended by cloud vendors, which suggest rotating every three months and deleting unused keys,” reads the report.

“From my perspective, Mexico has not yet embraced cloud migration at the pace of countries like the United States,” Robert Huber, Tenable Chief Security Officer, tells MBN.

The identity management problem in cloud environments is accentuated by the fact that 23% of cloud identities — both human and non-human — possess excessive, high-severity permissions. In Amazon Web Services (AWS), for example, 35% of human identities have critical permissions, increasing the risk of security breaches. The inherent complexity of cloud-native architectures, according to Tenable, makes it difficult for organizations to effectively manage these permissions, which can result in unnecessary compromises that exacerbate the risk of cyberattacks.

“Mexican organizations should implement automated systems for auditing and remediating excessive permissions to enhance security. Instead of relying on manual processes, which are unmanageable at scale, organizations can automate periodic access reviews for critical systems,” Huber says.

The report also reveals that 80% of the workloads reviewed had not patched a critical vulnerability (CVE-2024-21626) 40 days after publication. This unaddressed vulnerability highlights what the report describes as “vulnerability fatigue,” where information saturation prevents informed decision making. In this context, prioritizing vulnerabilities based on their context becomes essential to focus efforts on the most critical ones.

“Mexican enterprises can implement a vulnerability prioritization framework by using platforms that integrate sector-specific cyberthreat intelligence. They should focus on creating a network for information exchange with peers in their industry to stay informed about relevant threats,” says Huber.

Risk exposure does not stop there. The report also indicates that 74% of organizations have publicly exposed cloud storage, often with sensitive data. This vulnerability has been linked to an increase in ransomware attacks. Therefore, it is critical for organizations to gain clear visibility into stored data to contextualize and mitigate associated risks.

“Publicly exposed cloud workloads create a high-risk attack path for cybercriminals because they can easily scan the internet for vulnerable assets. Whether motivated by ransomware or other objectives, attackers often seek out these exposed resources,” Huber says.

Finally, the study reports that 78% of organizations have publicly accessible Kubernetes Application Programming Interface (API) servers, open-source container orchestration systems for automating software deployment. Among these, 41% are accessible from the Internet. Configurations such as privileged mode in containers or roles with full administrative permissions expose organizations to considerable risk. 

Mitigation Strategies

The report presents several recommendations for addressing cloud risks, highlighting the following key strategies:

Create a Context-Driven Security Culture: Effective cloud risk management requires a holistic approach that unifies information about identities, vulnerabilities, misconfigurations, and data risks into a single platform of tools. This provides an accurate visualization of the risk landscape and facilitates threat prioritization.

Strict Kubernetes and Container Access Management: Since Kubernetes and containers represent significant risk areas, organizations should adhere to security standards for Pods and restrict privileged permissions. Specific recommendations include:

• Limit inbound access to Kubernetes API servers to prevent unauthorized access.

• Disable anonymous authentication in Kubelet, as this configuration dramatically increases the risk of security compromises.

• Review and adjust administrative role assignments (cluster-admin) to reduce unnecessary access to elevated permissions, thus ensuring tighter access management.

Credential and Permissions Management: Regular rotation of credentials and implementation of Just-in-Time access mechanisms are essential to mitigate risks related to old or unused access keys. In addition, it is advisable to periodically audit permissions assigned to human and non-human identities, ensuring that they adhere to the principle of least privilege.

“To ensure compliance in a growing regulatory environment, companies in Mexico should implement credential management systems that automate the rotation of passwords every three months. This proactive approach not only enhances security but also aligns with industry best practices, especially for regulated sectors that mandate such controls,” says Huber.

Vulnerability Prioritization: Rather than addressing all vulnerabilities uniformly, organizations should focus on those that present the greatest risk, especially those with high Vulnerability Priority scores. This approach involves directing remediation efforts toward the vulnerabilities that actually expose the organization to critical threats.

Minimize Public Exposure: Publicly exposed cloud assets need to be reviewed to ensure that such exposure is intentional and does not compromise sensitive information or critical infrastructure. 

Huber emphasizes that, without Kubernetes, companies lose the ability to efficiently scale resources in response to demand, risking downtime during peak usage. “Attackers could exploit this access to deploy malicious assets, further compromising data integrity and security. Ultimately, Kubernetes serves as the orchestrator of all compute resources, and any breach can jeopardize the entire operational framework of an organization,” says Huber.