5 steps to protect APAC firms from the toxic cloud trilogy

Cloud computing has become the bedrock of enterprise operations across Asia-Pacific (APAC). However, as we harness the scalability and agility of the cloud, we are also grappling with risks that could destabilise entire businesses if left unchecked. The problem is not the cloud itself, but how data within the cloud is managed and secured.

The Tenable Cloud Research team recently conducted a study revealing that a significant portion of enterprises — globally and in the region, specifically 38% — have at least one cloud workload that is publicly exposed, critically vulnerable, and highly privileged. This “toxic cloud trilogy” is a powerful reminder that while the cloud can accelerate innovation, it can also create newer and more severe security risks. So, what can enterprises in APAC do to stay secure without losing benefits from using the cloud?

Why is this trio so dangerous for today’s modern organisations? Each element alone is a security risk, but together, they create a formidable pathway for attackers to exploit a system’s most sensitive assets. A publicly exposed workload acts as a beacon, inviting unauthorised access from the open internet. When critical vulnerabilities are left unpatched within that same workload, attackers have an immediate foothold for seizing control. High privileges, often unwittingly granted in development or testing environments, allow attackers access not only to the compromised workload but potentially to entire segments of a company’s cloud infrastructure. This combination of exposure, vulnerability, and privilege creates a shortcut for breaches, allowing attackers to move laterally, escalate privileges, and compromise sensitive data or services.

So, what can enterprises in APAC do to stay secure without losing the cloud’s benefits?

1. Get serious about IAM

In a cloud-first world, identity is the new perimeter, and it is also one of the weakest links in the chain. A startling 84% of organisations possess unused or longstanding access keys with excessive permissions. These keys are often forgotten but hold immense potential for exploitation, allowing attackers to access sensitive data without drawing attention.

What needs to happen: Enterprises must enforce strict controls on identity and access management (IAM). Implement just-in-time (JIT) access policies, regularly rotate keys, and audit permissions rigorously to ensure only the right people and systems have access to critical cloud resources. Multi-factor authentication (MFA) and principle-of-least-privilege policies should become standard practice.

This isn’t just about keeping out hackers; it is about protecting your core assets from within, reducing the risk of an internal lapse and inviting external threats.

2. Patch critical vulnerabilities before you get patched

Cloud environments are dynamic, and vulnerabilities arise frequently, sometimes faster than organisations can address them. Recent research shows that 80% of workloads were left unpatched for more than a month, even after severe vulnerabilities were discovered. Attackers will not wait. They exploit these gaps to breach systems and gain a foothold, often leading to catastrophic outcomes like ransomware attacks.

What needs to happen: Prioritise vulnerability management with a focus on context. Not all vulnerabilities are created equal. Those that exist on publicly exposed workloads or highly privileged systems must be prioritised. Cybersecurity teams need to integrate risk-based assessments into their patching schedules, ensuring critical vulnerabilities are mitigated quickly, while low-risk issues are addressed in due course.

Ignoring this will not only expose your business but could leave its name splashed across headlines for all the wrong reasons.

3. Lock down your Kubernetes configurations

Kubernetes is increasingly becoming the go-to platform for managing cloud-native applications. However, it’s also a growing attack vector. Researchers found that 78% of organisations have publicly accessible Kubernetes API servers, and nearly half run containers in privileged modes. For cyberthreat actors, this is a siren call.

What needs to happen: Enterprises must enforce stricter controls over Kubernetes environments. Public access should be restricted by applying firewall rules or configuring network policies to reduce exposure. Running containers in privileged mode should be avoided unless necessary, and role-based access controls (RBAC) should be applied to limit admin privileges.

Securing Kubernetes will not just protect your cloud-native applications but also ensure that the platform driving your digital transformation is not be the weakest link in your security chain.

4. Cut the public exposure of cloud storage

Cloud storage solutions, when poorly configured, are low-hanging fruit for attackers. An alarming 74% of organisations in the region have publicly exposed storage assets, often due to excessive permissions. These storage buckets can contain sensitive data such as personally identifiable information, financial records, and intellectual property, all of which can wreak havoc if exposed.

What needs to happen: Organisations must constantly review their storage configurations. Identify which assets need to be publicly accessible and which do not. Reduce permissions to the bare minimum, especially for assets containing sensitive information, and ensure that encryption is applied wherever possible. Monitoring tools should be used to flag any changes in permissions that could lead to exposure.

Public exposure of sensitive data is not just a security failure; it is a business risk that can cause massive and nearly irreversible reputational damage.

5. Embrace a holistic approach to cloud security

Cloud security cannot be treated as a bolt-on or an afterthought, it needs to be woven into the very fabric of the ways enterprises operate. Systems should be built with cybersecurity top of mind. The toxic cloud trilogy is a symptom of a broader problem: a lack of visibility, coordination, and context across cloud environments. Most organisations are operating in silos, with scattered security controls, isolated views, and disjointed teams, which only exacerbates the risk.

What needs to happen: Enterprises must take a unified approach to managing cloud security. Consolidating identity, vulnerability, misconfiguration, and data risk into a comprehensive framework can help security teams assess and address the most critical risks effectively. The goal should be to foster a security culture where cloud risks are identified and resolved proactively and collaboratively.

Security must keep pace with the evolving cloud landscape. Without comprehensive oversight, blind spots will increase, giving attackers more opportunities to exploit vulnerabilities in digital infrastructure.

Securing the future

As the cloud becomes more central to business operations across APAC, so too must the commitment to cybersecurity. By taking these steps, enterprises can mitigate the most pressing risks in their cloud environments, ensuring they continue to innovate and grow without exposing themselves to unnecessary vulnerabilities.

The toxic cloud trilogy may be a looming threat, but with the right strategies in place, it’s a risk that can and should be mitigated — before it’s too late.