Cloud Security Gaps Expose SEA Firms to Breaches

Businesses in Singapore and across Southeast Asia are facing a silent crisis of cloud vulnerabilities, according to the 2025 Cloud Security Risk Report released by Tenable®, the Exposure Management company.

The report uncovers alarming security gaps in cloud environments, from misconfigured storage exposing sensitive data to embedded secrets in workloads, that could lead to data breaches, financial losses, and serious regulatory repercussions.

The findings are particularly relevant for organisations operating in regulated sectors or managing cross-border data flows.

In Singapore, where data protection and cybersecurity are tightly governed under frameworks such as the Cybersecurity Act, Personal Data Protection Act (PDPA), and Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines, poor visibility into cloud assets and misconfigurations can have serious compliance repercussions.

Similarly, Indonesia’s Personal Data Protection Law (PDP Law), Thailand’s Personal Data Protection Act (PDPA), Malaysia’s Personal Data Protection Act (PDPA), and the Philippines’ Data Privacy Act all impose stringent requirements on data protection, cross-border transfers, and cloud security.

Together, these regulations highlight the urgent need for organisations across Southeast Asia to prioritise strong cloud governance and security to meet evolving compliance and cybersecurity demands.

The research reveals a significant and widespread risk, finding that 9% of all analysed cloud storage resources contain restricted or confidential information. In environments housing vast volumes of data, this seemingly small percentage translates to millions of sensitive records potentially exposed.

Even more alarming, nearly one in ten publicly accessible storage locations holds sensitive data, driven by common misconfigurations, weak access controls, and limited visibility, exposing organisations across industries to serious security and compliance threats in line with local/regional data residency expectations.

The risks do not end there. Tenable’s findings show that 54% of organisations with AWS ECS task definitions have a secret embedded within them, exposing businesses to the threat of full cloud environment takeovers or exploitation activities like unauthorised crypto mining.

Even within AWS EC2 instances, 3.5% contain credentials embedded in user data, giving attackers a clear pathway to escalate privileges and compromise environments.

“Secrets are the keys to the kingdom, yet many organisations are unknowingly leaving them unguarded across their cloud infrastructures,” said Ari Eitan, Director of Cloud Security Research at Tenable.

“In today’s threat landscape, complacency is costly. Organisations must treat secrets with the highest level of security hygiene to prevent attackers from gaining footholds that can spiral into full-blown breaches.”

With Singapore continuing to scale up cloud adoption, supported by national initiatives like IMDA’s Cloud Outage Incident Response (COIR) framework and regional efforts to enable secure digital economies, the report highlights the urgent need for a proactive, risk-driven security strategy.

“The cloud offers incredible agility, but without strong controls and continuous monitoring, it also opens the door to significant exposures,” Eitan added. “Understanding where your sensitive data and credentials are and who can access them must now be a board-level priority.”

The report reflects findings by the Tenable Cloud Research team based on telemetry from workloads across diverse public cloud and enterprise environments, analysed from October 2024 through March 2025. To download the report today, please visit: https://www.tenable.com/cyber-exposure/tenable-cloud-security-risk-report-2025