The pinnacle of safety advocacy at Datadog, a cloud-based monitoring and analytics platform, urged companies in Australia and APAC to speed up the phase-out of long-lived credentials for widespread hyperscale cloud providers , warning that they proceed to be an issue. critical danger of knowledge breach.
Talking with TechRepublic, Andrew Krug highlighted Datadog’s findings State of cloud safety 2024 report, which recognized long-lived credentials as a persistent safety danger issue. Whereas credential administration practices are enhancing, Krug stated they aren’t transferring rapidly or successfully sufficient to mitigate dangers.
Lengthy-lived credentials stay a significant risk to cloud safety
The report revealed that just about half (46%) of organizations utilizing AWS depend on IAM customers. for human entry to cloud environments – a follow Datadog known as a type of long-term credentialing. This was true even for organizations that used centralized id administration to grant entry throughout a number of programs.
Moreover, practically one in 4 relied solely on IAM customers with out implementing centralized federated authentication. In line with Datadog, this highlights a persistent downside: whereas centralized id administration is changing into extra frequent, unmanaged customers with long-lived credentials nonetheless symbolize a big safety danger.
Prevalence of long-term credentials spreads all main cloud suppliers and infrequently contains out of date or unused passwords. The report discovered that 62% of Google Cloud service accounts, 60% of AWS IAM customers, and 46% of Microsoft Entra ID purposes had entry keys that have been greater than a 12 months previous.
Lengthy-lived credentials carry important knowledge breach danger
In line with Datadog, long-lived cloud credentials by no means expire and continuously leak into supply code, container photos, construct logs, and software artifacts. Earlier investigations carried out by the corporate. have been proven to be the commonest explanation for publicly documented cloud safety breaches.
SEE: High 5 Cybersecurity Traits for 2025
Krug stated there are mature instruments available on the market to make sure secrets and techniques do not find yourself in manufacturing environments, similar to static code evaluation. Datadog’s report additionally notes the rise of IMDSv2 enforcement on AWS EC2 cases, an necessary safety mechanism to dam credential theft.
There are much less sturdy credentials, however change is just too gradual
Steps have been taken to mitigate the problem, such because the launch of AWS IAM Id Middle, which permits organizations to centrally handle entry to AWS purposes. Whereas firms are within the technique of switching to the service, Krug stated, “I simply do not know if everybody considers this to be their prime precedence.”
“It undoubtedly needs to be, as a result of ifCheck out the final 10 years of knowledge breaches“The primary concern is that long-lived entry key pairs have been the foundation explanation for these knowledge breaches mixed with overly permissive entry,” he defined. “If we take away one facet of that, we actually considerably cut back the danger to the enterprise.”
The issue of long-lasting credentials just isn’t distinctive to APAC: it’s a world downside
In line with Krug, APAC isn’t any completely different from the remainder of the world. With out regulation to manage the administration of long-lived cloud credentials in a specific jurisdiction, firms around the globe use related approaches with related cloud suppliers, usually in a number of world jurisdictions.
What prevents long-term credentials from being deserted?
The hassle required to transition groups to single sign-on and non permanent credentials has slowed the adoption of those practices. Krug stated the “elevate and shift” concerned in migrating improvement workflows to single sign-on could be appreciable. That is partly because of the mindset shift required and partly as a result of organizations want to supply satisfactory help and steering to assist groups adapt.
Nevertheless, he famous that instruments like AWS Id Middle, which has been obtainable for 3 years, have made this transition extra possible. These The instruments are designed to scale back developer friction. simplifying the authentication course of, minimizing the necessity to repeatedly log into MFA, and making certain workflows stay environment friendly.
SEE: How AI is amplifying cloud knowledge dangers
“AWS Id Middle is a good product and permits for these very seamless person flows, however persons are nonetheless midway by migrating to it,” Krug stated.
What do you have to do together with your long-term credentials?
The Datadog report warned that it’s unrealistic to anticipate that long-lived credentials could be managed securely. The vendor recommends that Corporations undertake safe identities with fashionable authentication mechanismsleverage short-lived credentials and actively monitor adjustments to APIs generally utilized by attackers.
“Organizations ought to make the most of mechanisms that present non permanent, time-bound credentials,” the report says.
Workloads. For workloads, Datadog stated this may be achieved with IAM roles for EC2 or EKS Pod Id cases on AWS, managed identities on Microsoft Azure, and repair accounts connected to workloads for Google Cloud if the group makes use of the main world hyperscalers.
People: For human customers, Datadog stated the simplest answer is to centralize id administration utilizing an answer similar to AWS IAM Id Middle, Okta, or Microsoft Entra ID and keep away from utilizing particular person cloud customers for every worker, which described it as “extremely inefficient and dangerous.” .”
