Full Report
Sensitive data and secrets are leaking. How cloud security leaders can shut them down.Despite the billions of dollars organizations are investing in cybersecurity, one of the most preventable threats persists: sensitive data and credentials exposed in publicly accessible cloud services. According to the Tenable Cloud Security Risk Report 2025, 9% of public cloud storage resources contain sensitive data — including personally identifiable information (PII), intellectual property (IP), Payment Card Industry (PCI) details, and protected health information (PHI).Even more concerning, the report shows that over half of organizations using Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions and Google Cloud Platform (GCP) Cloud Run have, knowingly or not, at least one secret embedded in these services.These exposures are concerning, as they are the kind of exploitable oversights attackers are already scanning for — and weaponizing.Why this matters to security leadersExposed secrets — like API keys and encryption tokens — can open the door to attackers, enabling lateral movement, data exfiltration or full environment takeover.This isn’t just a misconfiguration issue. It’s a governance gap, made worse by legacy security tooling and, in some cases, the mistaken perception that native cloud services provide sufficient protection.What you should be doing nowSecurity leaders must shift from detection to prevention and improve their sensitive data protection by enforcing the following:Automated data discovery and classification: Know what data lives in your environment and continuously assess its sensitivity. This should be an ongoing, telemetry-driven effort — not a quarterly scan.Eliminate public access by default: Enforce least privilege for both data and network access. Public storage should be the rare exception.Employ enterprise-grade secrets management: Remove hardcoded secrets and implement cloud-native tools like AWS Secrets Manager and Microsoft Azure Key Vault.Cloud Security Posture Management (CSPM): Use identity-intelligent CSPM to unify visibility across your cloud footprint and detect misconfigurations, secrets, and excessive permissions in real time.Key takeaway: Exposed secrets and sensitive data aren’t obscure edge cases. They’re systemic risks hiding in plain sight — and must be eliminated before attackers exploit them.Learn moreDownload the Tenable Cloud Security Risk Report 2025Join our upcoming research webinar Why Your Cloud Data Might Not Be Secure After All: Insights From Tenable Cloud Research
Analysis Summary
# Best Practices: Cloud Security, Secrets Management, and Sensitive Data Protection
## Overview
These practices focus on shifting security operations from mere detection to proactive prevention concerning cloud data exposures, specifically targeting the elimination of exposed secrets and publicly accessible sensitive data that arise from misconfigurations and legacy security perceptions.
## Key Recommendations
### Immediate Actions
1. **Automate Data Discovery and Classification:** Initiate a continuous, telemetry-driven process for discovering and assessing the sensitivity of all data residing in the cloud environment. This must supersede quarterly scanning efforts.
2. **Eliminate Public Access by Default:** Immediately review and restrict storage access policies to enforce a "deny by default" posture; public access should be an explicitly documented, rare exception.
3. **Implement Secrets Management Review:** Immediately begin scanning code repositories and configuration files for hardcoded secrets that need to be extracted.
### Short-term Improvements (1-3 months)
1. **Enforce Least Privilege:** Implement strict least privilege controls for both data access and network access across the cloud estate.
2. **Adopt Enterprise Secrets Management:** Deploy cloud-native secrets management tools (e.g., AWS Secrets Manager, Azure Key Vault) to centrally store and manage credentials, keys, and tokens.
3. **Deploy Identity-Intelligent CSPM:** Integrate a Cloud Security Posture Management (CSPM) solution capable of real-time detection of misconfigurations, exposed secrets, and excessive permissions unified across the entire cloud footprint.
### Long-term Strategy (3+ months)
1. **Transition to Proactive Posture:** Formalize the transition from a reactive detection model to a proactive prevention model for sensitive data protection across all cloud workloads.
2. **Integrate Security Telemetry:** Ensure continuous, telemetry-driven feedback loops are established to maintain accurate, up-to-date data discovery and classification status.
3. **Review Legacy Tooling Dependency:** Develop a roadmap to retire or modernize legacy security tooling that may not adequately address modern cloud-native security challenges, such as those related to identity and ephemeral resources.
## Implementation Guidance
### For Small Organizations
- **Focus on Native Tools:** Prioritize leveraging built-in features of your chosen cloud provider (e.g., native secrets management, basic IAM policies) to secure initial data access and credentials quickly.
- **Simplified CSPM:** Adopt a single, consolidated CSPM tool to gain immediate visibility across the limited cloud footprint, focusing remediation efforts on critical public exposure risks.
### For Medium Organizations
- **Phased Secrets Migration:** Begin a structured migration project to move validated hardcoded secrets into a centralized secrets manager service (e.g., Azure Key Vault), prioritizing high-risk applications first.
- **Formalize Least Privilege Audits:** Conduct initial audits using identity-intelligent CSPM to map effective permissions against job roles, focusing on reducing standing access rights.
### For Large Enterprises
- **Unified Exposure Management:** Implement a comprehensive exposure management platform (like Tenable One) to integrate data from native cloud security services, vulnerability scanners, and identity systems for a unified view of risk.
- **Policy as Code Enforcement:** Integrate CSPM and security checks directly into CI/CD pipelines ("shift left") using Infrastructure as Code (IaC) scanning to prevent misconfigurations and secret exposure before deployment.
- **Dynamic Access Control:** Fully implement Just-in-Time (JIT) access mechanisms to ensure identities and services only receive the permissions required for the short duration of a specific task.
## Configuration Examples
*(Note: Specific configuration examples were not provided in the source text, but the recommendations map to specific technologies.)*
- **Secrets Management Tooling Example:** Utilize **AWS Secrets Manager** or **Microsoft Azure Key Vault** for centralized key and secret rotation.
- **Posture Management Example:** Deploy an **Identity-Intelligent CSPM** solution to continuously scan cloud resource configurations (e.g., S3 buckets, storage accounts, security groups) against established security benchmarks.
## Compliance Alignment
- **NIST CSF:** Focuses heavily on the **Protect** function (e.g., data security controls) and shifting toward **Detect** and **Respond** with real-time telemetry.
- **ISO 27001/27017:** Aligns with requirements for access control, cryptographic controls, and secure system engineering practices.
- **CIS Benchmarks:** Directly maps to hardening cloud infrastructure settings and implementing baseline secure configurations identified by CSPM tools.
## Common Pitfalls to Avoid
- **Treating Cloud Native Security as Optional:** Underestimating the security capabilities provided by native cloud services, believing legacy tools offer sufficient protection, or assuming cloud providers fully secure the customer's data plane.
- **Treating Discovery as a One-Time Event:** Relying on periodic scans for data classification instead of continuous, automated telemetry feeds, leading to transient exposures being missed.
- **Ignoring Identity Context:** Configuring permissions or secrets controls without considering the actual identity or service principal making the request (i.e., failure to enforce true least privilege).
## Resources
- **Cloud Security Posture Management (CSPM)** solutions integration.
- **Cloud-native secrets management tools** (e.g., AWS Secrets Manager, Azure Key Vault).
- **Tenable Cloud Security Risk Report 2025** (For deeper threat context).
- Implementation guidance on **Least Privilege Enforcement** via Just in Time (JIT) management techniques.