The head of security advocacy at cloud-based monitoring and analytics platform Datadog has urged businesses in Australia and the APAC region to accelerate the phasing out of long-standing credentials for popular hyperscale cloud services, warning that they remain a serious risk of data breaches.
In an interview with TechRepublic, Andrew Krug highlighted findings from Datadog’s State of Cloud Security 2024 report, which identified long-lived credentials as a persistent security risk factor. While credential management practices are improving, Krug noted, they are not evolving as quickly and effectively as needed to mitigate risks.
Long-lived credentials are still a big threat to cloud security
The report revealed that nearly half (46%) of organizations using AWS rely on IAM users for human access to cloud environments—a practice that Datadog called a form of long-standing credentialing. This was also true for organizations using centralized identity management to grant access across multiple systems.
Additionally, nearly one in four relied solely on IAM users without implementing centralized federated authentication. According to Datadog, this points to an ongoing problem: while centralized identity management is becoming more common, unmanaged users with long-lived credentials continue to pose a significant security risk.
The prevalence of long-term credentials covers all major cloud providers and often includes outdated or unused access keys. The report found that 62% of Google Cloud accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications had access keys older than a year.
Long-term credentials are associated with a significant risk of data leakage
According to Datadog, long-lived cloud credentials never expire and are often leaked in source code, container images, build logs, and application artifacts. Past research by the company has shown that they are the most common cause of publicly documented cloud security breaches.
SEE: Top five cybersecurity trends for 2025
Krug said there are mature tools on the market to ensure secrets don’t end up in production, such as static code analysis. The Datadog report also notes an increase in IMDSv2 enforcement on AWS EC2 instances, an important security mechanism to block credential theft.
There are fewer long-term credentials, but change is too slow
Steps have been taken to mitigate the problem, such as the launch of the AWS IAM Identity Center, which allows organizations to centrally manage access to AWS applications. While companies are in the process of transitioning to the service, Krug said, “I just don’t know that everyone is making it their top priority.”
“It certainly should be, because if we look at the last 10 years of data breaches, the primary theme is that long-lived access key pairs were the main cause of these data breaches, combined with an overly permissive approach,” he explained. “If we remove one page, we really reduce the risk to the business substantially.”
The problem with long-lasting credentials is not unique to APAC – it’s a global problem
According to Krug, APAC is no different from the rest of the world. As there is no regulation in any particular jurisdiction to govern the management of long-term cloud credentials, companies around the world use similar approaches with similar cloud providers, often across different global jurisdictions.
What prevents a shift away from long-standing credentials?
The effort required to transition teams to single sign-on and temporary credentials has slowed the adoption of these practices. Krug said the “shift and shift” involved in migrating development workflows to single sign-on can be significant. This is partly because of the mindset change required and partly because organizations need to provide adequate support and guidance to help teams adapt.
But he noted that tools like the AWS Identity Center, which have been available for three years, have made the transition more feasible. These tools are designed to reduce developer friction by streamlining the authentication process, minimizing the need for repeated MFA logins, and ensuring workflows remain efficient.
SEE: How AI Raises Data Risks in the Cloud
“AWS Identity Center is a great product and enables these very seamless user flows, but people are still at the center of the stream in migrating to it,” Krug said.
What should you do with your long standing credentials?
A report by Datadog warned that it is unrealistic to expect that long-term credentials can be managed securely. The vendor recommends that companies adopt secure identities with modern authentication mechanisms, use short-lived credentials, and actively monitor changes in APIs commonly used by attackers.
“Organizations should use mechanisms that provide time-limited and temporary credentials,” the report said.
Workload. In terms of workloads, Datadog said this can be achieved with IAM roles for EC2 instances or EKS Pod Identities in AWS, Managed Identities in Microsoft Azure, and service accounts attached to workloads for Google Cloud if the organization uses major global hyperscalers.
People: For human users, Datadog says the most efficient solution is to centralize identity management using solutions like AWS IAM Identity Center, Okta or Microsoft Entra ID and avoid using individual cloud users for each employee, which it called “highly inefficient and risky.” .”
