ChannelLife Australia - Industry insider news for technology resellers
Australia
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
Hyperscale
#
Public Cloud
#
Cloud Security

Poor cloud security leaves secrets & data at risk, report finds

Today
Author image
By Shannon Williams, Journalist

A new report from Tenable Research has detailed the ongoing risks facing organisations due to poor cloud security practices and widespread misconfigurations.

The 2025 Cloud Security Risk Report analyses data from global cloud systems spanning October 2024 to March 2025. It highlights significant vulnerabilities related to data exposure, identity management, cloud workloads, and the use of artificial intelligence resources. The findings indicate that sensitive information and credentials remain at risk due to inconsistent security implementations across major public cloud providers.

Exposure of sensitive data

According to Tenable Research, 9% of publicly accessible cloud storage contains sensitive data, and 97% of this content is classified as restricted or confidential. These circumstances increase the risk of exploitation, particularly when misconfigurations or embedded secrets are also present.

The report notes that cloud environments are subject to significantly heightened risk from exposed data, misconfigured access, and the insecure storage of secrets such as passwords, API keys, and other credentials. These issues are compounded by underlying vulnerabilities and inconsistent security practices across organisations using public cloud providers like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

Secrets and workload security

The assessment documented that over half of organisations (54%) store at least one secret directly within AWS Elastic Container Service (ECS) task definitions, creating a direct attack path for threat actors. On GCP Cloud Run, similar patterns were observed, with 52% of organisations found to be storing secrets within resources, and 31% on Microsoft Azure Logic Apps workflows.

Furthermore, 3.5% of all AWS Elastic Compute Cloud (EC2) instances were identified as containing secrets within user data. AWS EC2's broad adoption means this level of exposure represents a substantial risk across the industry.

The report points to some improvement in cloud workload security: the prevalence of the so-called "toxic cloud trilogy"-a situation in which a workload is publicly exposed, critically vulnerable, and endowed with high privilege-has decreased from 38% to 29%. However, Tenable researchers note that this combination continues to represent a significant risk for businesses.

Issues in identity and access management

One significant finding relates to the use of Identity Providers (IdPs). The research indicates that 83% of AWS organisations employ IdP services to manage cloud identities, which is regarded as best practice. Despite this, risks persist due to permissive default settings, excessive entitlements, and lingering standing permissions that give rise to identity-based threats.

"Despite the security incidents we have witnessed over the past few years, organizations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations," said Ari Eitan, Director of Cloud Security Research, Tenable.

The report suggests that attackers are often able to find entry points with relative ease, exploiting public access, extracting embedded secrets, or misusing over-privileged identities.

Recommendations and risk management

"The path for attackers is often simple: exploit public access, steal embedded secrets or abuse overprivileged identities. To close these gaps, security teams need full visibility across their environments and the ability to prioritize and automate remediation before threats escalate. The cloud demands continuous, proactive risk management, and not reactive patchwork," added Eitan.

Tenable's analysis is based on telemetry collected from a diverse array of public cloud and enterprise environments and provides detailed insight into the cloud security challenges currently faced by businesses. The report offers practical recommendations to help security professionals reduce risks, mitigate vulnerabilities, and address gaps before they can be exploited.

The findings underline the necessity for organisations to adopt unified cloud exposure management, increase visibility across their cloud assets, and take a systematic approach to automation and remediation of security risks, particularly as cloud adoption and reliance on AI-driven resources continue to rise.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UiPath launches next-generation automation platform in Australia
ReliaQuest report exposes rise of social engineering cyber threats
Samsung’s Solve for Tomorrow invites youth to tackle real issues
Oracle launches air-gapped cloud for security & sovereignty
Bitdefender to acquire Mesh, enhancing email security platform
Top stories
Nearly half of developers say over 50% of code is AI-generated
Thyssenkrupp boosts supply chain with Celonis AI technology
Nicola Gerber appointed Fastly Vice President for APJ growth drive
Cohesity & MongoDB expand integration for enterprise data resilience
Azul & Chainguard partner on zero-CVE Java containers