Uncontrolled VM Growth Leading to Security Gaps in Cloud Environments

The increasing adoption of cloud services has led to a phenomenon known as “VM sprawl,” where organizations experience uncontrolled growth in the number of virtual machines (VMs) provisioned across multiple cloud providers such as AWS, Azure, and GCP. This often results in VMs being left unmonitored, unpatched, and with overly broad access permissions. While cloud service providers (CSPs) offer baseline security, maintaining the ongoing security posture of these VMs falls to the customer. This creates significant security gaps, as attackers can exploit these neglected VMs to gain an initial foothold, move laterally within the cloud environment, exfiltrate data, or even deploy ransomware. Microsoft’s 2024 State of Multicloud Security Report highlights the increasing number of workload identities assigned to VMs, further exacerbating the risk. The lack of comprehensive cloud visibility, with only 23% of organizations reporting a complete view of their cloud footprint, makes it challenging to detect and respond to these threats effectively.

Attack Chain

1. A machine learning engineer provisions a new VM in the cloud for data processing tasks.
2. The VM is assigned a workload identity with overly broad read/write access to data storage and other resources, neglecting the principle of least privilege.
3. The project concludes, but the VM remains active and unmonitored, with its initial, excessive permissions intact.
4. An attacker compromises the neglected VM, exploiting its lack of patching and weak security configurations.
5. The attacker leverages the VM’s existing identity to probe adjacent instances within the same virtual network (VNet) or virtual private cloud (VPC) using east-west traffic.
6. The attacker gains access to internal databases or storage endpoints, exploiting the VM’s over-permissioned identity.
7. The attacker moves laterally to other VMs via internal Remote Desktop Protocol (RDP), staging data for exfiltration.
8. The attacker deploys ransomware across the cloud network, impacting critical workloads and data.

Impact

Compromised and neglected VMs in cloud environments can lead to significant financial and reputational damage. Attackers can exfiltrate sensitive data, deploy ransomware, disrupt critical business operations, and incur substantial fines due to non-compliance with regulatory frameworks like NIST 800-53 and PCI DSS 4.0. IBM’s Cost of a Data Breach 2025 report found that 30% of breaches affected data across multiple environments, demonstrating the wide-ranging impact of inadequate cloud security. The dwell time, or the time between initial infiltration and detection, is significantly longer for organizations lacking visibility into their cloud environments, leading to increased costs and damage. According to a recent survey, one in three SMBs reported being hit with substantial fines following a cyberattack.

Recommendation

• Implement a comprehensive VM inventory across all cloud platforms to identify and track all active virtual machines. Reference: “every organization needs to inventory its VM fleets across all cloud platforms”.
• Conduct regular reviews of permissions attached to VM identities, ensuring adherence to the principle of least privilege to minimize the blast radius of potential compromises. Reference: “review the permissions attached to the identity of each VM”.
• Implement network micro-segmentation to restrict east-west traffic between VMs, limiting lateral movement opportunities for attackers. Reference: “audit their settings for unnecessary ‘east-west’ and ‘north-south’ openness”.
• Enable and tune process creation logging on cloud VMs to detect unusual or unauthorized processes. This can be achieved via native cloud tooling or third-party endpoint detection and response (EDR) solutions. Reference: “security tooling can keep an eye on VMs with the same rigor as applied to the endpoints on employee desks”.