Sensitive data and secrets are leaking. How cloud security leaders can shut them down.

Despite the billions of dollars organizations are investing in cybersecurity, one of the most preventable threats persists: sensitive data and credentials exposed in publicly accessible cloud services. According to the Tenable Cloud Security Risk Report 2025, 9% of public cloud storage resources contain sensitive data — including personally identifiable information (PII), intellectual property (IP), Payment Card Industry (PCI) details, and protected health information (PHI).

Even more concerning, the report shows that over half of organizations using Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions and Google Cloud Platform (GCP) Cloud Run have, knowingly or not, at least one secret embedded in these services.

These exposures are concerning, as they are the kind of exploitable oversights attackers are already scanning for — and weaponizing.

Why this matters to security leaders

Exposed secrets — like API keys and encryption tokens — can open the door to attackers, enabling lateral movement, data exfiltration or full environment takeover.

This isn’t just a misconfiguration issue. It’s a governance gap, made worse by legacy security tooling and, in some cases, the mistaken perception that native cloud services provide sufficient protection.

What you should be doing now

Security leaders must shift from detection to prevention and improve their sensitive data protection by enforcing the following:

• Automated data discovery and classification: Know what data lives in your environment and continuously assess its sensitivity. This should be an ongoing, telemetry-driven effort — not a quarterly scan.
• Eliminate public access by default: Enforce least privilege for both data and network access. Public storage should be the rare exception.
• Employ enterprise-grade secrets management: Remove hardcoded secrets and implement cloud-native tools like AWS Secrets Manager and Microsoft Azure Key Vault.
• Cloud Security Posture Management (CSPM): Use identity-intelligent CSPM to unify visibility across your cloud footprint and detect misconfigurations, secrets, and excessive permissions in real time.

Key takeaway: Exposed secrets and sensitive data aren’t obscure edge cases. They’re systemic risks hiding in plain sight — and must be eliminated before attackers exploit them.

Learn more

• Download the Tenable Cloud Security Risk Report 2025
• Join our upcoming research webinar Why Your Cloud Data Might Not Be Secure After All: Insights From Tenable Cloud Research