82% of companies give third parties access to all cloud data

January 26, 2021

The Wiz Research team conducted extensive research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call:

82% of companies provide 3rd party vendors highly privileged roles. This is a major risk to sensitive data leakage and may pose both a security risk, as well as serious privacy risk.
76% of companies have 3d party roles that allow for full account takeover. This type of access should be reserved for select and closely monitored roles and never be granted as part of a default setup of a 3rd party vendor.
Over 90% of cloud security teams were not aware they gave high permissions to 3rd party vendors.

"In the majority of cases these permissions are there for no reason: the vendor doesn’t actually need them, and the customer team isn’t even aware that they gave them to the vendor. The most common example is the AWS ReadOnlyAccess policy, which is extremely popular amongst 3rd party vendors (a default for 25% of vendors included in our research). Vendors and customers believe it’s a harmless policy, but instead it provides wide read access to many of your databases, DynamoDB, S3 buckets, SQS queues, and more. Wondering why any vendor would need permissions this broad? Well, they don’t," says Shir Tamari, Head of Research.

This is specially important in the aftermath of the SolarWinds attack and the Mimecast certificate breach. "Security teams need to focus on “Minimizing the risk of 3rd parties in your cloud environment”, because it provides room for a supply chain attack and can even lead to compliance risks. Reducing the permissions provided to 3rd parties is an immediate call to action for the industry and a shared responsibility between customers and vendors alike. Customers should be proactive and scrutinize every requested permission, while vendors should understand that “Less is More”. Less permissions means less liability, whereas too many permissions could mean they’re next in line to becoming a target for adversaries," Tamari says.

Overall, the results should be a call for action, as the number of security incidents related to supply chain attacks continue to increase.

For the full report and other findings, please visit https://wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data/

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Many of the security screening standards in use today were put in place decades ago. They addressed the threats at the time and employed the security screening equipment that was available.

Poll

Recruiting Diverse Candidates

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

82% of companies give third parties access to all cloud data

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

82% of companies give third parties access to all cloud data

Related Articles

Related Products

Related Events

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.