The Tenable Cloud Risk Report 2024 reveals current risks associated with cloud environments. According to the report, 38% of organizations across the globe are at risk of critical exposures due to a combination of security shortfalls. Organizations are at risk of a “toxic cloud triad,” including highly privileged, critically vulnerable, and publicly exposed cloud workloads. This combination of security shortfalls may leave these environments susceptible to cyberattacks leading to application disturbances, system takeovers and data breaches. 

The report found common issues such as high risk entitlements, misconfigurations and vulnerabilities among identities, storage, workloads and containers. Key findings from the report include: 

• Most organizations (84.2%) have unused or longstanding access keys that have critical excessive permissions. 
• There are critical or high severity excessive permissions in 23% of cloud identities.
• 74% of organizations were found to have publicly exposed storage. 

Security leaders weigh in on the “toxic cloud triad”

Rom Carmel, Co-Founder and CEO at Apono:

“The “toxic cloud triad” — a combination of publicly exposed, critically vulnerable, and highly privileged cloud workloads — poses a severe risk to business operations, increasing the likelihood of system takeovers, DDoS attacks, and ransomware incidents. Attackers who exploit this triad can gain unauthorized access to critical systems, leading to prolonged disruptions, data theft and the deployment of malicious software. DDoS attacks as well as ransomware DDoS attacks, can render cloud services unavailable for a prolonged period of time, resulting in significant downtime, leading to loss of revenue, and erosion of customer trust. In the specific case of traditional ransomware, businesses may face operational paralysis, ransom demands, and legal penalties for exposed data, with long-term consequences that damage reputation and finances.

“To mitigate these risks, businesses that operate primarily in the cloud should adopt several best practices, including least-privilege access policies, just-in-time (JIT) access, and continuous vulnerability management to close security gaps before they are exploited. Network segmentation, multi-factor authentication and zero trust principles can further reduce exposure. Additionally, regular backups and comprehensive incident response plans are crucial for minimizing downtime and ensuring recovery in the event of an attack. By implementing these strategies, businesses can better safeguard their cloud environments and minimize the long-term impact of the toxic cloud triad.

“With the ballooning costs associated with data breaches, failure to address the misconfigurations and excessive entitlements that make up the “toxic cloud triad” can have a huge financial impact on organizations, from downtime due to ransomware to soft costs like brand and reputational damage. Avoiding disaster relies on first addressing the root cause by establishing processes for monitoring and remediating misconfigurations, over-privilege and critical vulnerabilities in cloud environments. Moving to zero standing privilege and maturing DevSecOps practices are key strategies. It’s also critical to act as if a breach is going to happen. Continuing to invest in zero trust strategies for cloud environments, especially enforcement of a just-in-time and just-enough approach to access and permissions management can significantly reduce the blast radius of a potential incident, limiting financial exposure.”

Jason Soroko, Senior Fellow at Sectigo:

“The “toxic cloud triad” combines publicly exposed cloud workloads, critical vulnerabilities and excessive privileges. It’s a term that requires context to better understand where the responsibilities sit. The relatively recent technology behind workloads faces vulnerabilities like any other connected system. Much of this is open source and continually needs to go through thorough research. Exposed cloud workloads and excessive privileges are mostly configuration problems. This means that organizations who are using these technologies need to learn how to deploy them safely. Additionally, many of these systems are new and are not yet part of an internal governance program. It is likely that many implementations of container engines have private certificate authorities that are not visible, audited or configured securely.

“Cloud risks financially impact businesses by imposing both direct and indirect costs, with the average data breach nearing $5 million. Direct costs include incident response expenses, legal fees, regulatory fines and potential ransom payments. Indirect costs encompass lost revenue due to downtime, reputational damage leading to customer churn, and increased future cybersecurity insurance premiums. To minimize potential costs, companies should invest in proactive security measures such as comprehensive cloud security policies, regular security audits and employee training programs. Implementing incident response plans and conducting regular drills can enhance preparedness for potential breaches. Additionally, leveraging security automation and advanced threat detection tools can reduce the likelihood of successful attacks, thereby safeguarding the company's financial well-being.

“Organizations can balance cloud flexibility with stricter security measures by integrating security into every layer of their cloud infrastructure management, especially when dealing with complex environments like containers and Kubernetes. Adopting DevSecOps practices ensures that security considerations are embedded throughout the development and deployment processes without hindering agility. Utilizing automation tools for security tasks, such as automated vulnerability scanning and compliance checks, allows for rapid scaling while maintaining robust security. Implementing role-based access control (RBAC), network policies, and namespaces within Kubernetes clusters can restrict unauthorized access and limit potential damage from compromised components. Incorporating security policies as code and embedding security checks into CI/CD pipelines ensures consistent enforcement of security standards. By fostering a culture where security is a shared responsibility and leveraging advanced security technologies, organizations can achieve a harmonious balance between flexibility and stringent security requirements.” 

Mr. Ratan Tipirneni, President & CEO at Tigera:

“The “toxic cloud triad” can leave a business operation very vulnerable to bad actors and open themselves to data exfiltration and ransomware threats. This can create existential threats for a business. They can be better prepared by: 

• Scanning for vulnerabilities in the pipeline, registry and at runtime
• Using an admission control to decide which images get promoted to production
• Leverage a service graph, which shows traffic flows to highly privileged workloads and egress traffic to help prioritize vulnerabilities that need to be addressed immediately
• Using a concept of a least privilege model at the workload level to manage both ingress and egress access controls to help minimize the blast radius of a compromised workload
• Deploy a Configuration Security solution to ensure that everything in the cluster is hardened
• Deploy Runtime Threat detection both at the Container and Network level to detect both known and unknown threats

“A data breach can create an existential risk for a business. At best, it may cause reputational damage from which a business may not be able to recover. The best thing that a company can do is to use a two-pronged approach to mitigate this risk. Start by deploying a Security Posture Management solution comprising three pillars: (1) Vulnerability management solution (2) Configuration Security and compliance solution, and (3) Network Security solution. The second part of the strategy is to deploy a Runtime Threat Detection solution to detect both known and unknown threats across two pillars: (1) Container-based threats (2) network-based threats.

“The best way to strike a balance between balancing the need for cloud flexibility with the necessity of stricter security measures is to set up security guardrails to protect against threats while also empowering the developer teams to set security policies for the services that they own and manage. Security and platform teams can leverage RBAC to get developers to participate in the design and implementation of security controls.” 

Darren Guccione, CEO and Co-Founder at Keeper Security:

“The “toxic cloud triad” of publicly exposed, critically vulnerable and highly privileged workloads creates a dangerous situation for businesses, where breaches become inevitable if left unaddressed. Long-term effects could include complete system takeovers — disrupting operations for days, if not weeks, and leading to financial losses and reputational damage. Other attacks such as DDoS or ransomware may also cripple critical services, resulting in downtime and requests for ransom payments. With the increasing sophistication of these attacks, businesses must prioritize proactive security measures.

“To enhance preparedness, companies should begin with regular security audits and continuous employee training to mitigate human error. Tightening access controls is essential, ensuring that only necessary users have access to sensitive systems and data, which reduces potential entry points for cybercriminals. 

“The near-$5 million cost of a data breach is a sobering figure, as it can devastate SMEs and severely impact larger enterprises. Direct financial losses can stem from system recovery, fines or ransoms — but business leaders must also consider indirect costs such as lost business, reduced productivity and increased insurance premiums. Organizations can minimize these potential costs by investing in security tools that automate threat detection, employing continuous monitoring and implementing a zero trust security architecture.”