Are Lengthy-Lived Credentials the New Achilles’ Heel for Cloud Safety?

The pinnacle of safety advocacy at Datadog, a cloud-based monitoring and analytics platform, has urged enterprises in Australia and the APAC area to speed up phasing out long-lived credentials for well-liked hyperscale cloud companies, warning that they continue to be a serious data breach risk.

Talking with TechRepublic, Andrew Krug highlighted findings from Datadog’s State of Cloud Security 2024 report, which recognized long-lived credentials as a persistent safety danger issue. Whereas credential administration practices are enhancing, Krug famous they aren’t advancing as rapidly or successfully as wanted to mitigate dangers.

Lengthy-lived credentials are nonetheless an enormous menace to cloud safety

The report revealed that almost half (46%) of organisations utilizing AWS depend on IAM customers for human access to cloud environments — a apply Datadog known as a type of long-lived credential. This was true even for organisations utilizing centralised id administration to grant access throughout a number of techniques.

Furthermore, practically one in 4 relied solely on IAM customers with out implementing centralised federated authentication. In accordance with Datadog, this highlights a persistent problem: whereas centralised id administration is changing into extra frequent, unmanaged customers with long-lived credentials proceed to pose a major security danger.

The prevalence of long-lived credentials spans all major cloud providers and infrequently consists of outdated or unused entry keys. The report discovered that 62% of Google Cloud service accounts, 60% of AWS IAM customers, and 46% of Microsoft Entra ID functions had entry keys that had been greater than a yr outdated.

Lengthy-lived credentials include a major danger of information breaches

Lengthy-lived cloud credentials by no means expire and often get leaked in supply code, container pictures, construct logs, and application artifacts, in keeping with Datadog. Past research conducted by the company has proven they’re the commonest reason for publicly documented cloud safety breaches.

SEE: The top five cybersecurity trends for 2025

Krug mentioned there’s mature tooling available in the market to make sure secrets and techniques don’t find yourself in manufacturing environments, comparable to static code evaluation. Datadog’s report additionally notes the rise of IMDSv2 enforcement in AWS EC2 situations, an vital safety mechanism to dam credential theft.

There are much less long-lived credentials, however change is just too sluggish

There have been strikes to mitigate the issue, comparable to AWS launching IAM Identification Centre, permitting organisations to centrally handle entry to AWS functions. Whereas corporations are within the course of of adjusting to the service, Krug mentioned, “I simply don’t know that everyone considers this their highest priority.”

“It undoubtedly needs to be, as a result of if we look at the last 10 years of data breaches, the first theme is that long-lived entry key pairs had been the basis reason for these knowledge breaches mixed with overly permissive entry,” he defined. “If we eradicate one facet of that, we actually considerably scale back the chance for the enterprise.”

The long-lived credentials downside isn’t unique to APAC — it’s a world problem

In accordance with Krug, APAC is not any completely different from the remainder of the world. With no regulation to regulate the administration of long-lived credentials within the cloud in any explicit jurisdiction, corporations worldwide use comparable approaches with comparable cloud suppliers, usually throughout a number of international jurisdictions.

What’s stopping the transfer away from long-lived credentials?

The hassle required to transition groups to single sign-on and momentary credentials has slowed the adoption of those practices. Krug mentioned the “carry and shift” concerned in migrating improvement workflows to single sign-on could be appreciable. That is partly as a result of mindset shift required and partly as a result of organisations should present ample support and steerage to assist groups adapt.

Nonetheless, he famous that instruments like AWS Identification Centre, which has been out there for 3 years, have made this transition extra possible. These tools are designed to reduce developer friction by streamlining the authentication course of, minimising the necessity for repeated MFA sign-ins repeatedly, and guaranteeing that workflows stay environment friendly.

SEE: How AI is amplifying the risks of data in the cloud

“AWS Identification Centre is a superb product and permits these very seamless person flows, however people are nonetheless midstream in migrating to it,” Krug mentioned.

What do you have to do along with your long-lived credentials?

Datadog’s report warned that it’s unrealistic to count on that long-lived credentials could be securely managed. The seller recommends that companies adopt secure identities with modern authentication mechanisms, leverage short-lived credentials, and actively monitor adjustments to APIs that attackers generally use.

“Organisations ought to leverage mechanisms that present time-bound, momentary credentials,” the report mentioned.

Workloads. For workloads, Datadog mentioned this finish could be achieved with IAM roles for EC2 situations or EKS Pod Identification in AWS, Managed Identities in Microsoft Azure, and repair accounts connected to workloads for Google Cloud if the organisation makes use of the foremost international hyperscalers.

People: For human customers, Datadog mentioned the best answer is to centralise id administration utilizing an answer like AWS IAM Identification Middle, Okta, or Microsoft Entra ID and keep away from utilizing particular person cloud customers for every worker, which it labelled “extremely inefficient and dangerous.”