The Toxic Cloud Trilogy: Unseen Cloud Risks Facing APAC Enterprises
By Nigel Ng, Senior Vice President, Asia Pacific and Japan, Tenable
Cloud computing is at the core of modern business in APAC. It is fast, scalable, and essential for organisations striving to keep pace in a digital-first world. However, as more companies migrate critical operations to the cloud, they encounter evolving security challenges. Enter the “toxic cloud trilogy,” a convergence of publicly exposed workloads, critical vulnerabilities, and over-privileged identities. Separately, each of these factors poses a security risk. Together, they create a scenario that warrants attention. Tenable’s Cloud Research team found that this combination is prevalent in at least one cloud workload in 38% of organisations, including those in APAC.
Cyber Exposure, Vulnerability, and Privilege: The Trilogy of Cloud Risk
What makes this trifecta especially concerning? In the cloud, publicly exposed workloads can function as beacons, accessible from the internet. Such exposure, even when unintentional, allows cybercriminals to identify potential entry points with ease. Add unpatched vulnerabilities into the mix, and the risk is amplified. These gaps create a straightforward exploitation pathway.
The third factor – over-privileged identities – further raises the stakes. When access permissions exceed what is necessary, attackers can move more freely across systems, accessing data and services with fewer barriers. This toxic cloud trilogy turns what might have been a limited security issue into a broader operational concern, allowing attackers to extend their reach if they gain access.
The Potential Impact on APAC Organisations
For APAC businesses, these risks are not theoretical. A single unpatched vulnerability in a publicly exposed workload can disrupt operations and potentially lead to data loss. The presence of excessive privileges means that, once entry has been gained, attackers have greater opportunities to move within the environment. Addressing these risks is essential not only for security but also for operational stability.
Despite these preventive security gaps, some organisations remain cautious about changing their cloud security practices. Many rely on basic safeguards and occasional audits, assuming these measures will suffice. But the toxic cloud trilogy underscores that more comprehensive steps may be necessary to build a secure foundation. This is not simply about “best practices”; it is about strengthening resilience.
Why the Cloud Demands a Different Security Approach
Cloud systems differ from traditional IT environments, and so do the risks they face. In on-premises setups, security perimeters are physical and contained. In the cloud, identity has become the new perimeter, and it is a complicated one.
Consider identity and access management. Our research showed 84% of organisations have unused or overly privileged access keys. These credentials can linger indefinitely, creating potential access points that may go unnoticed. Attackers require only one of these keys to gain entry, highlighting the need for ongoing access reviews. This issue is not unique to a few businesses; it is inherent to how cloud environments are often managed.
The APAC Context: Rapid Adoption, Evolving Security
Organisations in APAC are quick to embrace the cloud’s benefits—efficiency, scalability, and agility. However, in the rush to deploy, many organisations have been lagging in security practices. Regulations, while improving, vary widely across the region. Cybersecurity expertise is in high demand, and resources may be stretched. As a result, public workloads, unpatched systems, and permissive access levels have become more common than intended.
For attackers, this scenario is attractive. APAC’s swift cloud adoption, coupled with inconsistent security, creates opportunities to target organisations that are still adapting. Addressing the toxic cloud trilogy requires adjusting security practices to keep pace with cloud deployments, not merely adding more tools.
Steps Towards a Resilient Security Strategy
The toxic cloud trilogy may sound complex, but there are clear steps APAC organisations can take to mitigate these risks. First, organisations should prioritise a unified approach to cloud security, where exposure, vulnerability, and access control are managed holistically. Public exposure should be minimised, critical vulnerabilities patched promptly, and permissions managed carefully. Each action strengthens cloud resilience.
Breaking down security silos is also crucial. Many organisations handle identity, vulnerability, and configuration management separately, which can leave gaps. Integrating these areas on a unified platform produces a clearer picture, enabling security teams to proactively manage risks. This approach allows organisations to move beyond reactionary fixes toward a comprehensive, forward-looking strategy.
Cloud security today goes beyond regulatory compliance or routine assessments. It has become integral to an organisation’s overall resilience and readiness. The toxic cloud trilogy is a reminder that cloud adoption and security must evolve hand in hand.