The head of safety at Datadog, a cloud-based monitoring and analytics platform, has urged corporations in Australia and the APAC area to speed up the elimination of long-lived credentials for widespread large-scale cloud companies, warning they continue to be a severe danger of knowledge breach.
Speaking to TechRepublic, Andrew Krug highlighted Datadog’s findings State of Cloud Security 2024 report, which recognized long-lived credentials as a persistent safety danger issue. While credential administration practices are bettering, Krug famous that they don’t seem to be advancing as rapidly or successfully as wanted to mitigate dangers.
Long-lived credentials nonetheless pose a significant risk to cloud safety
The report revealed that just about half (46%) of organizations utilizing AWS depend on IAM customers for human entry to cloud environments – a apply Datadog calls a type of long-lasting credentialing. This was true even for organizations that used centralized identification administration to make sure entry throughout a number of methods.
Additionally, practically one in 4 relied solely on IAM customers with out implementing centralized federated authentication. According to Datadog, this highlights a persistent drawback: While centralized identification administration is turning into extra widespread, unmanaged customers with long-lived credentials proceed to pose a major safety danger.
The prevalence of long-lived credentials spans all main cloud suppliers and sometimes contains outdated or unused entry keys. The report discovered that 62% of Google Cloud service accounts, 60% of AWS IAM customers, and 46% of Microsoft Entra ID functions had entry keys that had been older than a 12 months.
Long-lived credentials pose a major danger of knowledge breach
According to Datadog, long-lived cloud credentials by no means expire and are sometimes leaked in supply code, container photos, construct logs, and software artifacts. Past research conducted by the company has proven that they’re the most typical reason behind publicly documented cloud safety breaches.
SEE: Top 5 cybersecurity traits for 2025
Krug mentioned there are mature instruments in the marketplace to make sure secrets and techniques do not find yourself in manufacturing environments, corresponding to static code evaluation. Datadog’s report additionally notes the elevated software of IMDSv2 in AWS EC2 situations, an necessary safety mechanism to dam credential theft.
There are much less long-standing credentials, however change is just too gradual
Steps have been taken to mitigate the problem, corresponding to AWS’ launch of IAM Identity Center, which permits organizations to centrally handle entry to AWS functions. As corporations are within the means of transitioning to the service, Krug mentioned, “I do not know if everybody considers this their prime precedence.”
“It positively ought to be, as a result of if we take a look at the final 10 years of knowledge breaches, the principle theme is that long-lived key pairs have been the first reason behind such knowledge breaches mixed with overly permissive entry,” he mentioned. defined. “If we eradicate one facet of this, we actually considerably scale back the chance to the corporate.”
The problem of long-lasting credentials is not distinctive to APAC – it is a international problem
According to Krug, APAC is not any completely different from the remainder of the world. With no regulation to manage the administration of long-lived credentials within the cloud in a specific jurisdiction, corporations around the globe are utilizing related approaches with related cloud suppliers, usually in a number of international jurisdictions.
What prevents abandonment of long-lasting credentials?
The effort required to transition groups to single sign-on and momentary credentials has slowed the adoption of those practices. Krug mentioned the “elevate and shift” concerned in migrating improvement workflows to single sign-on could be appreciable. This is partly as a result of change in mindset required and partly as a result of organizations want to supply satisfactory assist and steering to assist groups adapt.
However, he famous that instruments like AWS Identity Center, which has been out there for 3 years, have made this transition extra possible. These instruments are designed to cut back developer friction by simplifying the authentication course of, minimizing the necessity for repeated MFA logins, and guaranteeing workflows stay environment friendly.
SEE: How synthetic intelligence is amplifying knowledge dangers within the cloud
“AWS Identity Center is a good product and permits for very easy person flows, however individuals are nonetheless midway by migrating to it,” Krug mentioned.
What must you do along with your long-standing credentials?
Datadog’s report warns that it’s unrealistic to count on that long-lived credentials could be managed securely. The vendor recommends that corporations undertake safe identities with fashionable authentication mechanisms, leverage short-lived credentials, and actively monitor adjustments to APIs generally utilized by attackers.
“Organizations ought to leverage mechanisms that present momentary, time-limited credentials,” the report states.
Workloads. For workloads, Datadog mentioned this may be achieved with IAM roles for EC2 situations or EKS Pod Identity in AWS, managed identities in Microsoft Azure, and workload-linked service accounts for Google Cloud in case your group makes use of main international hyperscalers.
Human: For human customers, Datadog mentioned the best answer is to centralize identification administration utilizing an answer like AWS IAM Identity Center, Okta, or Microsoft Entra ID and keep away from utilizing particular person cloud customers for every worker, which it labeled “extremely inefficient and dangerous”. .”
