New Delhi, Aug. 8 -- For CISOs and security leaders, the term "cloud security" often conjures the struggle surrounding firewalls, access controls, and data encryption. Attackers are leveraging blind spots in dynamic cloud environments, leading to a greater threat: the leakage of "secrets." These aren't just confidential documents; they are the digital master keys to your kingdom. When these secrets fall into the wrong hands, the consequences are far-reaching.
What are cloud secrets and why do they matter?
The cloud operates as an intricate network of applications, services, and users, continuously authenticating and authorising interactions between human and non-human identities. Machine identities enable secure software communication or automated database access. The cloud stores a multitude of "secrets," including API keys, database credentials, cloud provider access keys, authentication tokens, and encryption keys. These are the programmatic equivalents of a root user login, granting full control over cloud resources.
The widespread nature of these secrets within cloud environments makes them highly appealing targets for attackers, like bees to pollen. A single compromised secret can open up attack vectors, potentially leading to data exfiltration, AI system compromise, and even a complete takeover of cloud infrastructure.
Why are secrets leaking?
Secrets rarely escape through a direct, frontal assault. Which brings us to the question: Are organisations unaware that their data is publicly accessible, or are they unaware that their data is sensitive? Here are the culprits:
Overly permissive users: Developers have privileged access for short-term use, but these accounts are frequently forgotten, eventually becoming permanent. Flawed permission structures that come from inconsistent access policies or overlapping roles, inadequate monitoring and even the false belief that cloud security providers offer sufficient protection.
Secrets exposed in the cloud: Cloud infrastructure secrets account for 15% of all exposed secrets in public code repositories, making it the third largest category of exposed secrets, after web app infrastructure (39%) and development and continuous integration/deployment (CI/CD) (32%). What increases risk is the fact that sensitive secrets, API keys, credentials, and tokens are scattered across misconfigured cloud resources, sometimes publicly exposed. Tenable's Cloud Security Risk Report found that more than half of the organisations have secrets exposed in Elastic Container Service (ECS) task definitions, used to run containerised applications. This suggests inadequate secret management practices, making it easy for attackers to access sensitive data if they gain access to these configurations. A major reason for the presence of sensitive data in public storage may be that organisations are unaware of the sensitivity level of the data.
Relying on ad-hoc methods like shared spreadsheets, plain text files, or chat messages for storing and distributing secrets is an open invitation to disaster. These methods offer no auditing, rotation, or centralised control, making it impossible to track or revoke access effectively.
Secrets can be leaked through many means, including Git repositories, public storage and logs. Understanding where secrets reside and how they are used and by whom is crucial for effective cloud risk management.
Preventing secret leaks
A mature cloud security strategy requires moving beyond static defenses to actively manage your entire attack surface. To reduce sensitive data exposure, continuously monitor for public access, especially from third parties, and automate the detection of misconfigured storage. Use modern exposure management tools to map complex asset and identity relationships across hybrid environments, allowing you to spot and prioritise critical, cross-cloud attack paths.
This proactive posture must be paired with strong data governance, making secrets management a core pillar of your approach. Leverage the mature, native secrets management tools offered by major cloud providers, as their seamless integration with Identity and Access Management (IAM) frameworks is essential for enforcing least privilege, reducing sprawl, and improving auditability.
Finally, evolve your identity security by implementing Just-in-Time (JIT) access to eliminate standing permissions. By building on your existing Identity Provider to enforce time-bound, temporary access, ideally delivered through your team's go-to collaboration tools-you can ensure entitlements are granted only when and for as long as they are needed.
By treating your cloud secrets as the invaluable assets they are and implementing a comprehensive secrets management strategy, you can significantly reduce your organisation's attack surface and safeguard your most critical digital keys.
(Rajnish Gupta is Managing Director and Country Manager at Tenable India)
Published by HT Digital Content Services with permission from TechCircle.