82% of companies give third parties access to all cloud data

January 26, 2021

The Wiz Research team conducted extensive research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call:

82% of companies provide 3rd party vendors highly privileged roles. This is a major risk to sensitive data leakage and may pose both a security risk, as well as serious privacy risk.
76% of companies have 3d party roles that allow for full account takeover. This type of access should be reserved for select and closely monitored roles and never be granted as part of a default setup of a 3rd party vendor.
Over 90% of cloud security teams were not aware they gave high permissions to 3rd party vendors.

"In the majority of cases these permissions are there for no reason: the vendor doesn’t actually need them, and the customer team isn’t even aware that they gave them to the vendor. The most common example is the AWS ReadOnlyAccess policy, which is extremely popular amongst 3rd party vendors (a default for 25% of vendors included in our research). Vendors and customers believe it’s a harmless policy, but instead it provides wide read access to many of your databases, DynamoDB, S3 buckets, SQS queues, and more. Wondering why any vendor would need permissions this broad? Well, they don’t," says Shir Tamari, Head of Research.

This is specially important in the aftermath of the SolarWinds attack and the Mimecast certificate breach. "Security teams need to focus on “Minimizing the risk of 3rd parties in your cloud environment”, because it provides room for a supply chain attack and can even lead to compliance risks. Reducing the permissions provided to 3rd parties is an immediate call to action for the industry and a shared responsibility between customers and vendors alike. Customers should be proactive and scrutinize every requested permission, while vendors should understand that “Less is More”. Less permissions means less liability, whereas too many permissions could mean they’re next in line to becoming a target for adversaries," Tamari says.

Overall, the results should be a call for action, as the number of security incidents related to supply chain attacks continue to increase.

For the full report and other findings, please visit https://wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data/

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.

Security measures today tend to focus on controlling access, albeit with limitations. Many organizations, for example, know how many people have entered a secure location, but not how many have left.

82% of companies give third parties access to all cloud data

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

82% of companies give third parties access to all cloud data

Related Articles

Related Products

Related Events

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.