The top of safety advocacy at Datadog, a cloud-based monitoring and analytics platform, has urged enterprises in Australia and the APAC area to speed up phasing out long-lived credentials for standard hyperscale cloud providers, warning that they continue to be a critical knowledge breach danger.
Talking with TechRepublic, Andrew Krug highlighted findings from Datadog’s State of Cloud Security 2024 report, which recognized long-lived credentials as a persistent safety danger issue. Whereas credential administration practices are enhancing, Krug famous they aren’t advancing as shortly or successfully as wanted to mitigate dangers.
Lengthy-lived credentials are nonetheless a giant menace to cloud safety
The report revealed that almost half (46%) of organisations utilizing AWS depend on IAM customers for human entry to cloud environments — a follow Datadog referred to as a type of long-lived credential. This was true even for organisations utilizing centralised id administration to grant entry throughout a number of methods.
Furthermore, almost one in 4 relied solely on IAM customers with out implementing centralised federated authentication. In response to Datadog, this highlights a persistent subject: whereas centralised id administration is turning into extra frequent, unmanaged customers with long-lived credentials proceed to pose a big safety danger.
The prevalence of long-lived credentials spans all main cloud suppliers and sometimes consists of outdated or unused entry keys. The report discovered that 62% of Google Cloud service accounts, 60% of AWS IAM customers, and 46% of Microsoft Entra ID purposes had entry keys that had been greater than a yr previous.
Lengthy-lived credentials include a big danger of knowledge breaches
Lengthy-lived cloud credentials by no means expire and continuously get leaked in supply code, container photos, construct logs, and software artifacts, in accordance with Datadog. Previous analysis carried out by the corporate has proven they’re the most typical reason behind publicly documented cloud safety breaches.
SEE: The highest 5 cybersecurity developments for 2025
Krug stated there may be mature tooling out there to make sure secrets and techniques don’t find yourself in manufacturing environments, resembling static code evaluation. Datadog’s report additionally notes the rise of IMDSv2 enforcement in AWS EC2 cases, an essential safety mechanism to dam credential theft.
There are much less long-lived credentials, however change is just too gradual
There have been strikes to mitigate the issue, resembling AWS launching IAM Id Centre, permitting organisations to centrally handle entry to AWS purposes. Whereas firms are within the course of of fixing to the service, Krug stated, “I just don’t know that everyone considers this their highest priority.”
“It definitely should be, because if we look at the last 10 years of data breaches, the primary theme is that long-lived access key pairs were the root cause of those data breaches combined with overly permissive access,” he defined. “If we eliminate one side of that, we really substantially reduce the risk for the business.”
The long-lived credentials downside isn’t unique to APAC — it’s a world subject
In response to Krug, APAC is not any totally different from the remainder of the world. With no regulation to regulate the administration of long-lived credentials within the cloud in any specific jurisdiction, firms worldwide use related approaches with related cloud suppliers, typically throughout a number of world jurisdictions.
What’s stopping the transfer away from long-lived credentials?
The trouble required to transition groups to single sign-on and short-term credentials has slowed the adoption of those practices. Krug stated the “lift and shift” concerned in migrating growth workflows to single sign-on will be appreciable. That is partly because of the mindset shift required and partly as a result of organisations should present enough help and steerage to assist groups adapt.
Nevertheless, he famous that instruments like AWS Id Centre, which has been accessible for 3 years, have made this transition extra possible. These instruments are designed to scale back developer friction by streamlining the authentication course of, minimising the necessity for repeated MFA sign-ins repeatedly, and guaranteeing that workflows stay environment friendly.
SEE: How AI is amplifying the dangers of knowledge within the cloud
“AWS Identity Centre is a great product and enables these very seamless user flows, but folks are still midstream in migrating to it,” Krug stated.
What do you have to do along with your long-lived credentials?
Datadog’s report warned that it’s unrealistic to count on that long-lived credentials will be securely managed. The seller recommends that firms undertake safe identities with trendy authentication mechanisms, leverage short-lived credentials, and actively monitor modifications to APIs that attackers generally use.
“Organisations should leverage mechanisms that provide time-bound, temporary credentials,” the report stated.
Workloads. For workloads, Datadog stated this finish will be achieved with IAM roles for EC2 cases or EKS Pod Id in AWS, Managed Identities in Microsoft Azure, and repair accounts hooked up to workloads for Google Cloud if the organisation makes use of the main world hyperscalers.
People: For human customers, Datadog stated the best resolution is to centralise id administration utilizing an answer like AWS IAM Id Middle, Okta, or Microsoft Entra ID and keep away from utilizing particular person cloud customers for every worker, which it labelled “highly inefficient and risky.”
