Across the Asia-Pacific region, governments and enterprises are investing heavily in cloud computing to drive economic growth, innovation, and digital inclusion. In Jakarta, cloud-based platforms are reshaping payments and logistics. In Manila, public services are rapidly moving online to reach underserved communities. In Singapore, artificial intelligence development is being built almost entirely on cloud-native infrastructure.
Yet as adoption accelerates, security is being left behind. According to research from Tenable, the very environments powering Asia’s digital ambitions are quietly accumulating systemic risk. Sensitive data is being stored in public locations, secrets and credentials are embedded in code, and AI workloads are being deployed with critical vulnerabilities that remain unpatched.
This is not a matter of a few poorly managed environments or isolated errors. The problem is widespread and structural. According to Tenable’s 2025 Cloud Security Risk Report, nine percent of publicly accessible cloud storage resources contain sensitive data. While this may seem like a small proportion, the vast scale of modern cloud environments means that even a single exposed storage bucket can hold thousands or even millions of records. Nearly all of the data found was classified as confidential or restricted, including personally identifiable information, financial records, intellectual property, and credentials. These exposures are not hypothetical risks. They represent real and immediate vulnerabilities that threat actors can exploit to gain unauthorized access to critical systems.
New data highlights the scale of the threat. Verizon’s 2025 Data Breach Investigations Report found that four out of five breaches in Asia-Pacific involved system intrusions, up from just 38 percent the previous year. This surge reflects a growing reliance on automated exploit techniques that target precisely the kind of misconfigurations and leaked credentials revealed in the Tenable research.
Secrets, such as API keys, tokens, and encryption credentials, remain a particularly high-value target for attackers. These are often embedded in code or stored in configuration files to support automated cloud operations. When exposed, they can provide direct, unaudited access to sensitive systems, making them a frequent entry point for large-scale breaches. The Tenable report notes that more than half of organizations using AWS Elastic Container Service had at least one secret embedded in a deployment. Similar exposures were found in Google Cloud and Microsoft Azure environments. In many cases, these secrets are stored in places that developers assume to be internal, but that are accessible to anyone with sufficient permissions or initial access.
The risk is further compounded by the persistence of what Tenable describes as the toxic cloud triad. Nearly 30 percent of organizations had at least one cloud workload that was publicly exposed, critically vulnerable, and excessively privileged. This combination creates an ideal scenario for attackers, allowing them to exploit a single weakness and quickly move laterally across an environment.
Asia’s fast-growing digital economy makes this threat even more urgent. In many parts of Southeast Asia, new digital services are launched without the legacy systems that often act as friction points in more mature markets. This allows for rapid innovation, but also means that security is frequently treated as an afterthought. Startups prioritize speed and scalability. Public sector initiatives race toward implementation targets. In both cases, the absence of embedded security governance has created conditions ripe for exploitation.
There are signs of progress. A majority of organizations using AWS in the region have adopted identity provider services to centralize authentication. This is a welcome shift, but it does not eliminate risk. Many environments still rely on standing permissions and overly permissive defaults. Multi-factor authentication, despite its proven efficacy, remains underutilized due to concerns about user experience and operational complexity.
Artificial intelligence adds further complexity. According to the Tenable report, 70 percent of cloud-hosted AI workloads contain at least one unpatched critical vulnerability. Many are deployed with overprivileged service accounts that can grant attackers far more access than necessary. As AI becomes more embedded in enterprise operations and public services across Asia, these vulnerabilities present not only a cybersecurity risk but also a compliance and reputational threat.
Several governments are already tightening their regulatory frameworks to reflect the new realities of cloud dependence. Singapore’s amended Cybersecurity Act brings cloud service providers and data centres under the scope of national oversight, with expanded reporting obligations and inspection powers for the Cyber Security Agency. India has enacted its long-awaited Digital Personal Data Protection Act, setting clearer obligations around data handling and breach disclosure. In Australia, lawmakers have raised breach penalties and expanded the definition of critical infrastructure to cover more digital services.
These regulatory developments are important, but legislation alone will not close the gap. What Asia needs most is a shift in mindset. Cloud security must be treated not as a compliance checkbox, but as a fundamental business priority. Executives and boards should be asking where sensitive data resides, who has access, and whether misconfigurations are being identified and addressed in real time.
The good news is that solutions exist. Cloud platforms offer mature tools for secrets management, identity governance, and automated detection of risky configurations. What is missing in many organizations is the operational discipline to use them effectively. Security must be built into the development lifecycle from the outset. It cannot be bolted on after launch.
Asia’s cloud transformation remains one of the great success stories of the modern digital economy. But if its next chapter is to deliver sustainable, inclusive growth, it must be underpinned by resilient and secure digital infrastructure. Every exposed API, leaked credential, or unpatched AI workload is not just a technical misstep. It is a business risk waiting to be exploited.
The organizations and governments that succeed in the coming decade will be those that understand the importance of cloud security, invest in the right tools and talent, and treat the
issue not as a cost centre but as a core enabler of trust. The opportunity is enormous. But so is the risk of getting it wrong.
Nigel Ng is Senior Vice President, APJ at Tenable.
TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Featured image: Sander Weeteling on Unsplash