Tenable’s 2025 Cloud Security Risk Report uncovers a dangerously overlooked reality: misconfigurations, hardcoded secrets, and over-trusted identities are undermining cloud resilience. As digital identities become the new perimeter, it’s time to rethink trust in the cloud.
The Cloud’s Convenience Can Be a Double-Edged Sword
In a region racing ahead with smart cities, national AI projects, and cloud-first public services, the Middle East stands at the forefront of innovation. Yet, as Tenable’s 2025 Cloud Security Risk Report warns, the foundation of that innovation may be far more fragile than assumed.
Analyzing telemetry from October 2024 to March 2025, the report reveals that 9% of publicly accessible cloud storage contains sensitive data, nearly all of it restricted or confidential. From embedded secrets to overprivileged identities, the cloud security gaps are not exotic — they’re mundane, avoidable, and incredibly widespread.
“This report is a wake-up call for organizations that have shifted to the cloud under the assumption that default configurations and best-practice tools are enough,” says Faisal Khan, Associate Director (Acting), Information Security & Compliance, Dubai World Trade Centre. “It shows that visibility without context is dangerous as storing secrets in code or configurations, retaining standing privileges, and mismanaging identity entitlements are silent threats which are bound to be exposed sooner or later.”
“Cloud isn’t inherently secure or insecure — it’s a reflection of how disciplined we are with configurations, access, and automation.”
— Faisal Khan, Associate Director (Acting), Information Security & Compliance, Dubai World Trade Centre
Secrets in the Code, Danger in the Shadows
Secrets — including passwords, API tokens, and encryption keys — are still being stored in plain sight:
- 54% of organizations store secrets in AWS ECS task definitions
- 52% in GCP Cloud Run
- 31% in Azure Logic App workflows
- 3.5% of AWS EC2 instances contain secrets in user data
“These are more than just sloppy mistakes,” warns Anwar Mohammed, Associate Vice President, RAKBANK. “They are open doors to threat actors. Given EC2’s foundational role in cloud ecosystems, this kind of risk should be unthinkable.”
“While it’s encouraging to see a drop in the ‘toxic cloud trilogy,’ the persistence of hardcoded secrets and over-permissioned identities highlights that security hygiene and automation haven’t matured fast enough to keep pace with cloud adoption,” he adds. “Organizations need to embrace least privilege, secret management tools, and continuous cloud posture monitoring to close these gaps.”
“The fact that over half of organizations are still storing secrets in ECS, Cloud Run, or Logic App workflows is deeply concerning. These practices create direct attack paths and expose organizations to unnecessary risk.”
— Anwar Mohammed, Associate Vice President, RAKBANK
The ‘Toxic Cloud Trilogy’ Still Lurks
The good news? There’s progress: workloads that are publicly exposed, critically vulnerable, and highly privileged — the so-called toxic cloud trilogy — have decreased from 38% to 29%.
The bad news? That still means almost one in three organizations have highly dangerous workloads in active production.
“This progress is encouraging,” says Anwar, “but it doesn’t go far enough. We need faster maturation in cloud hygiene, automated remediation, and risk-based prioritization.”
Identity Is the New Battleground — And It’s Misunderstood
Cloud Identity and Access Management (IAM) is evolving — but not quickly enough. While 83% of AWS environments now use Identity Providers (IdPs) to streamline and secure access, Tenable warns that excessive entitlements, over-trusted federated identities, and weak permission governance continue to expose organizations to risk.
“Just because you’re using an IdP doesn’t mean you’re safe,” explains Faisal Khan. “Overly-permissive defaults and standing permissions are often the cracks through which attackers walk right in.”
Understanding Digital Identity
Anwar Mohammed, Associate Vice President, RAKBANK emphasizes the importance of recognizing what a digital identity truly is in today’s world: “Think of your digital identity as your online self — everything that proves who you are digitally, from your social media logins to your online banking access. If compromised, it’s not just data loss; it’s life disruption.”
“Digital identity is the backbone of our online lives. But if it’s compromised, it opens the door to breaches far beyond cloud — it hits at the core of personal trust and enterprise security alike.”
— Anwar Mohammed, Associate Vice President, RAKBANK
He highlights three key models:
- Centralized Identities: Like corporate logins or banking credentials managed by a single provider.
- Federated Identities (IdPs): Where you log in once (say via Google or Microsoft) and access multiple services.
- Decentralized Identities (DIDs): Using blockchain-based tech to put more control in the hands of users.
“If your IdP login is compromised, all linked systems become vulnerable. That’s why multi-factor authentication (MFA) is critical — and so is de-linking unused apps and regularly reviewing IdP-linked services,” says Jacob.
He also emphasizes that digital identity hygiene starts at home, recommending:
- Educating family and staff, especially elders and children, about basic cybersecurity
- Never reusing passwords across services
- Exploring decentralized ID models where feasible
“At a corporate level, products like Tenable help cybersecurity professionals answer some crucial questions: Where are we exposed, how critical are those exposures, and how can we reduce our risk before attackers exploit them?”
What Enterprises Must Now Do
“This report is a reminder that complexity and convenience cannot outweigh security discipline,” says Faisal Khan.
Tenable, alongside expert voices from across the Middle East, recommends a clear action plan:
What’s Needed:
- Cloud Security Posture Management (CSPM): Continuous monitoring to catch misconfigurations early.
- Secret Management Solutions: Use enterprise vaults, not plain text or hardcoded entries.
- DevSecOps Integration: Make security a design principle, not an afterthought.
- Multi-Factor Authentication & Identity Governance: Especially for federated identity systems.
- Security Ownership Culture: Embed accountability across business, IT, and DevOps.
“Despite the security incidents we have witnessed over the past few years, organizations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations.”
— Ari Eitan, Director of Cloud Security Research, Tenable
The Middle East Context: Innovation Needs Guardrails
As countries like the UAE, Saudi Arabia, and Qatar push forward with Vision 2030, National AI Strategies, and paperless governance, cloud platforms are being entrusted with citizen services, critical infrastructure, and national security.
But innovation without security isn’t progress — it’s exposure.
With laws like the UAE PDPL and KSA’s PDPL, organizations have a legal and ethical responsibility to protect personal and sensitive data in the cloud.
Final Word: Proactive, Not Patchwork
Tenable’s report is a sobering reminder that cloud security is no longer about locking the door — it’s about knowing every window, access point, and weak spot before an attacker finds them.
“Security is no longer just a technical issue,” concludes Jacob Mathew. “It’s about trust — from your employees, your customers, and your regulators. The cloud gives us reach and speed. But it’s only as secure as the identity, configuration, and culture behind it.”
