Are persistent credentials the new Achilles heel of cloud security?

The head of security advocacy at Datadog, a cloud-based monitoring and analytics platform, has urged companies in Australia and APAC to accelerate the phase-out of long-lived credentials for popular hyperscale cloud services, warning that they continue to pose a serious risk to constitute data protection violations.

Speaking to TechRepublic, Andrew Krug highlighted the findings of Datadog’s State of Cloud Security 2024 report, which identified persistent credentials as a persistent security risk factor. While entitlement management practices are improving, Krug notes that they are not progressing as quickly or effectively as needed to mitigate risk.

Long-lived credentials still pose a major threat to cloud security

The report found that nearly half (46%) of organizations using AWS rely on IAM users for human access to cloud environments – a practice Datadog describes as a form of long-lived credentials. This was true even for organizations that use centralized identity management to grant access across multiple systems.

Additionally, nearly one in four relied exclusively on IAM users without implementing centralized federated authentication. According to Datadog, this highlights an ongoing problem: While centralized identity management is becoming more common, unmanaged users with persistent credentials continue to pose a significant security risk.

The proliferation of persistent credentials spans all major cloud providers and often includes outdated or unused access keys. The report found that 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications had access keys that were more than a year old.

Long-lived credentials pose a significant risk of data breaches

According to Datadog, long-lived cloud credentials never expire and often end up in source code, container images, build logs and application artifacts. The company’s previous research has shown that they are the most common cause of publicly documented cloud security breaches.

SEE: Top five cybersecurity trends for 2025

Krug said there are sophisticated tools on the market to ensure secrets don’t end up in production environments, such as static code analysis. Datadog’s report also highlights increasing enforcement of IMDSv2 in AWS EC2 instances, a key security mechanism for blocking credential theft.

There are fewer long-lasting references, but change is happening too slowly

Steps have been taken to mitigate the problem, such as AWS’s introduction of the IAM Identity Center, which allows companies to centrally manage access to AWS applications. While companies are in the process of transitioning to the service, Krug said, “I just don’t know if this is everyone’s top priority.”

“It certainly should be, because when we look at data breaches over the last decade, the main theme is that long-lived access key pairs were the root cause of these data breaches, combined with overly permissive access,” he explained. “If we eliminate one side of that, we really significantly reduce the risk to the company.”

The problem of long-lasting credentials is not just APAC, but is a global problem

According to Krug, APAC is no different from the rest of the world. Because no specific jurisdiction has regulations to control the management of long-lived credentials in the cloud, companies around the world are using similar approaches with similar cloud providers, often across multiple global jurisdictions.

What prevents the abandonment of long-lasting certificates?

The effort required to transition Teams to single sign-on and temporary credentials has slowed the adoption of these practices. According to Krug, the “lift and shift” associated with migrating development workflows to single sign-on can be significant. This is partly due to the change in mindset required and partly because organizations need to provide appropriate support and guidance to help teams adapt.

However, he noted that tools like AWS Identity Center, which has been available for three years, have made this transition easier. These tools are designed to reduce friction for developers by streamlining the authentication process, minimizing the need for repeated MFA logins, and ensuring workflows remain efficient.

SEE: How AI amplifies the risks of data in the cloud

“AWS Identity Center is a great product and enables these very seamless user flows, but people are still in the middle of migrating,” Krug said.

What should you do with your long-lasting references?

Datadog’s report warned that it was unrealistic to expect long-lived credentials to be securely managed. The provider recommends that organizations adopt secure identities with modern authentication mechanisms, leverage ephemeral credentials, and actively monitor changes to APIs that attackers commonly use.

“Organizations should leverage mechanisms that provide time-bound, temporary credentials,” the report says.

Workloads. For workloads, Datadog said this goal can be achieved with IAM roles for EC2 instances or EKS Pod Identity on AWS, managed identities on Microsoft Azure, and service accounts attached to workloads for Google Cloud if the organization leverages the major global hyperscalers .

People: For human users, the most effective solution, according to Datadog, is to centralize identity management using a solution like AWS IAM Identity Center, Okta, or Microsoft Entra ID and avoid using individual cloud users for each employee, which is described as “extremely inefficient and is classified as “risky.”