82% of companies give third parties access to all cloud data

January 26, 2021

The Wiz Research team conducted extensive research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call:

82% of companies provide 3rd party vendors highly privileged roles. This is a major risk to sensitive data leakage and may pose both a security risk, as well as serious privacy risk.
76% of companies have 3d party roles that allow for full account takeover. This type of access should be reserved for select and closely monitored roles and never be granted as part of a default setup of a 3rd party vendor.
Over 90% of cloud security teams were not aware they gave high permissions to 3rd party vendors.

"In the majority of cases these permissions are there for no reason: the vendor doesn’t actually need them, and the customer team isn’t even aware that they gave them to the vendor. The most common example is the AWS ReadOnlyAccess policy, which is extremely popular amongst 3rd party vendors (a default for 25% of vendors included in our research). Vendors and customers believe it’s a harmless policy, but instead it provides wide read access to many of your databases, DynamoDB, S3 buckets, SQS queues, and more. Wondering why any vendor would need permissions this broad? Well, they don’t," says Shir Tamari, Head of Research.

This is specially important in the aftermath of the SolarWinds attack and the Mimecast certificate breach. "Security teams need to focus on “Minimizing the risk of 3rd parties in your cloud environment”, because it provides room for a supply chain attack and can even lead to compliance risks. Reducing the permissions provided to 3rd parties is an immediate call to action for the industry and a shared responsibility between customers and vendors alike. Customers should be proactive and scrutinize every requested permission, while vendors should understand that “Less is More”. Less permissions means less liability, whereas too many permissions could mean they’re next in line to becoming a target for adversaries," Tamari says.

Overall, the results should be a call for action, as the number of security incidents related to supply chain attacks continue to increase.

For the full report and other findings, please visit https://wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data/

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

82% of companies give third parties access to all cloud data

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

82% of companies give third parties access to all cloud data

Related Articles

Related Products

Related Events

The latest news and information

Content written for business-minded executives who manage enterprise risk and security