According to Infosecurity Magazine, identity issues have become the primary source of cloud security risk according to ReliaQuest’s latest threat report. The security firm found that 44% of true-positive alerts in Q3 2025 stemmed from identity-related weaknesses like excessive permissions and credential abuse. Attackers can now purchase legitimate cloud credentials on dark web markets for as little as $2 because organizations store them insecurely. Making matters worse, ReliaQuest claims that 99% of cloud identities are over-privileged, giving attackers immediate access once they obtain credentials. The report also highlighted that 71% of critical vulnerability alerts came from just four CVEs dating back to 2021, showing how legacy vulnerabilities keep getting redeployed through automated processes.
The Two-Dollar Nightmare
Here’s the thing that should terrify every security team: your cloud credentials are basically worth less than a cup of coffee on criminal markets. For $2, an attacker can bypass all your fancy perimeter defenses and just log in as a legitimate user. And they’re not breaking in – they’re using keys that your own organization leaked through insecure storage, phishing, or infostealer malware.
The real kicker? Once they’re in, they probably have more access than they need because 99% of cloud identities are over-privileged. Think about that number for a second. It’s not “some” or “many” – it’s practically all of them. So an attacker doesn’t need sophisticated techniques – they just escalate using permissions you already gave them.
DevOps Disaster
Now let’s talk about the other side of this mess. The cloud’s automation capabilities, which were supposed to make everything faster and better, are systematically redeploying vulnerabilities from 2021. We’re not talking about new zero-days here – these are known issues that keep getting baked into new deployments because nobody’s fixing the templates.
So organizations are essentially building their technical debt into every new server, container, and function. And security teams can’t keep up because new assets get created faster than they can manually scan them. It’s like trying to bail out a boat that’s springing new leaks faster than you can patch the old ones.
What Actually Works?
Look, we’ve been hearing about “improving cloud security posture” for years, but clearly the current approaches aren’t cutting it. The fundamental problem seems to be that speed and security are still treated as competing priorities rather than integrated requirements.
When credentials are this cheap and vulnerabilities this persistent, maybe we need to stop treating cloud security as something you bolt on afterward. The ReliaQuest report makes valid points, but I’m skeptical whether organizations will actually prioritize fixing identity management over shipping new features. After all, security doesn’t directly generate revenue – until it fails spectacularly.
