NEW YORK — Datadog, Inc. (NASDAQ: DDOG), the monitoring and security platform for cloud applications, today released its new report, The State of Cloud Security 2023. Datadog analyzed security posture data from thousands of organizations using AWS, Azure or Google Cloud for the report, focusing particularly on understanding how organizations approach and mitigate common risks that frequently lead to documented public cloud security incidents.

The report found that organizations still face significant challenges when it comes to securing their cloud environments. Long-lived credentials, in particular, continue to be a widespread problem. These types of credentials are widely regarded as insecure, not only because they never expire but also because they can easily be leaked in source code, container images or configuration files. They remain one of the most common causes of security breaches in the cloud.

Other key findings from the report include:

• Multi-factor authentication (MFA) is not proactively enforced: In October 2023, 20.3% of IAM users that had authenticated to the AWS Console had done so without using MFA and 20.7% of Azure AD users that had authenticated had done so without MFA.
• Adoption of AWS IMDSv2 is rising but still insufficient: Although it’s critical to protect against server-side request forgery attacks in AWS, only 21% of EC2 instances enforce IMDSv2, up from 7% last year.
• A substantial portion of cloud workloads are excessively privileged: 37% of Google Cloud VMs and 23% of EC2 instances have sensitive permissions that would allow an attacker to gain privileged access or wide data access in a cloud environment.
• Publicly exposed virtual machines pose a risk to cloud environments: 7% of EC2 instances, 3% of Azure VMs and 12% of Google Cloud VMs have at least one port allowing traffic from the internet, leaving them at risk of brute-force attacks.

“Cloud security posture has significantly improved as providers deliver more secure defaults on their platforms and as organizations gain a greater understanding of security risks,” said Jeremy Garcia, VP of Technical Community and Open Source at Datadog. “However, there is still a lot of work to be done. Issues like long-lived credentials, MFA adoption and public VM exposure can be difficult to identify, prioritize and fix. The best defense, along with a deeper awareness of security risks, is to continuously scan for and fix misconfigurations and vulnerabilities so that breaches can be avoided before they happen.”

The State of Cloud Security 2023 is available now. For the full results, please visit: https://www.datadoghq.com/state-of-cloud-security/. To learn how Datadog helps companies secure their cloud environments, visit: https://www.datadoghq.com/product/cloud-security-management/.

About Datadog

Datadog is the observability and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring, log management, real-user monitoring, and many other capabilities to provide unified, real-time observability and security for our customers’ entire technology stack. Datadog is used by organizations of all sizes and across a wide range of industries to enable digital transformation and cloud migration, drive collaboration among development, operations, security and business teams, accelerate time to market for applications, reduce time to problem resolution, secure applications and infrastructure, understand user behavior, and track key business metrics.

Forward-Looking Statements

This press release may include certain “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended including statements on the benefits of new products and features. These forward-looking statements reflect our current views about our plans, intentions, expectations, strategies and prospects, which are based on the information currently available to us and on assumptions we have made. Actual results may differ materially from those described in the forward-looking statements and are subject to a variety of assumptions, uncertainties, risks and factors that are beyond our control, including those risks detailed under the caption “Risk Factors” and elsewhere in our Securities and Exchange Commission filings and reports, including the Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission on May 5, 2023, as well as future filings and reports by us. Except as required by law, we undertake no duty or obligation to update any forward-looking statements contained in this release as a result of new information, future events, changes in expectations or otherwise.