In a recent analysis of more than 3.6 million cloud assets, Tenable’s research team found that nearly 10% of publicly accessible cloud storage locations held sensitive or confidential data. More than half of the containerised workloads studied contained hard-coded secrets: access keys, tokens, credentials, all sitting in plain text. Almost a third of organisations had at least one workload that was exposed to the internet, vulnerable to known exploits, and configured with excessive privileges. We call that combination the “toxic cloud triad.”
There’s something strange about how invisible the cloud has remained, even as it has come to underpin everything. It is where our tax records, biometric IDs, pandemic playbooks, and public AI models live now. In a growing number of Asia Pacific countries, it is also where governance itself increasingly resides.
Despite how central the cloud has become to the modern state, we continue to treat it like a glorified IT service—a tool, a convenience, something that belongs to technologists—not the same class of infrastructure as roads, railways, or national power grids. This mismatch between the criticality of what is being built and the looseness with which it is being secured is becoming harder to ignore.
