Is your data-driven organization under-securing one piece of critical infrastructure?

Hidden business intelligence systems create subtle leverage for adversaries through remote execution, data extraction, reconnaissance, and weak on‑premises lifecycle practices.

In the aftermath of years of innovative cyberattacks, databases have been locked down, cloud environments hardened, and identity and access controls tightened. Yet, one asset that often escapes the same level of scrutiny is the data analytics platform.

This can be especially surprising when we consider that such platforms are what sit on top of all the other data assets to make them usable.

However, analytics platforms often represent some of the less-examined yet more consequential attack surfaces in the modern enterprise.

Why attackers care about analytics

Attackers do not just seek data; they seek leverage. Analytics platforms provide this in large quantities. They are more than just repositories of raw data: they offer context into what an organization relies on most, and how its systems across the organization are connected.

From a threat actor’s perspective, compromising such a platform can provide insight comparable to observing high‑level strategic and operational decisions.

Despite their importance, data analytics platforms and tools are still sometimes viewed as peripheral systems. Rather than being consistently treated as a core concern for IT security teams, they are often owned by business teams, deployed for productivity gains and trusted by default. This implicit trust, as evinced by our research, can become a major liability when not managed.

Such platforms are often exploitable:

• Vulnerabilities that enable a remote code execution chain. Once that barrier is crossed, the impact can extend beyond the application itself. Remote code execution can allow attackers to access credentials, manipulate data pipelines, move laterally within the environment or establish persistence. It effectively turns a trusted analytics service into a potential entry point for broader compromise. In cloud‑hosted environments, the risk is amplified. Vulnerabilities expose a path that could potentially allow attackers to break out of a single customer’s environment and access shared infrastructure, under specific conditions. While such scenarios depend on multiple factors, the finding underscores an important point: security boundaries on shared platforms are only as strong as the applications that enforce them. Editor’s note: In cloud deployments, this risk is governed by a shared responsibility model, where the cloud provider secures underlying infrastructure while customers remain responsible for application configuration, identity, and data‑level controls.
• Attacks can focused on data extraction rather than control. By abusing an internal connection and leveraging a data extraction technique, an attacker could access the platform’s internal management database. This database governs how the platform operates. It can contain sensitive configuration information, service accounts and credentials that define how the platform communicates with other systems. In the wrong hands, this information dramatically lowers the effort required to escalate an attack or pivot to additional targets.

Together, these vulnerabilities illustrate a pattern security teams should pay close attention to. Platforms that combine broad access with operational insight create disproportionate risk when compromised, even if they are not always classified as “high value” assets.

The risk of invisible dependencies

One reason analytics platforms are often overlooked is that their risks are not directly visible. If a database is breached, the impact is obvious. If an identity system fails, the consequences are immediate. However, when an analytics platform is compromised, the damage may unfold more subtly. Reports may be manipulated. Decision‑makers may act on tainted information. Attackers may quietly map the environment before striking elsewhere.

This makes analytics platforms useful reconnaissance tools for malicious actors. They allow attackers to observe without immediately disrupting operations, buying time and increasing the likelihood of a successful follow‑on attack.

Detection is also complicated: Activity within analytics platforms can appear legitimate, especially when attackers leverage existing features rather than deploying overt malware. Without targeted monitoring, unusual behaviour can blend into normal usage patterns.

Editor’s note: Many analytics platforms, including Looker and Looker Studio, provide audit logging, granular permissions and integration with SIEM tools, which can support more effective monitoring when properly configured and reviewed.

Meanwhile, managed cloud services offer clear security advantages. Providers can deploy patches quickly, monitor infrastructure at scale and respond to threats centrally. However, many organizations run customer‑hosted or on‑premises versions of analytics platforms. In such environments, the responsibility for patching, configuration and monitoring rests largely with the organization. Delays in applying updates can leave systems exposed long after fixes are available. This can create a false sense of security. Teams may assume that because a platform is widely used and commercially supported, it is inherently safe. In reality, the security posture of customer‑hosted deployments depends on the same fundamentals as any other critical system: timely patching, least‑privilege access and continuous oversight.

Editor’s note: Effective use of cloud security features (for example, identity and access management, network segmentation, logging, and organization‑level sharing controls) is also a core part of securing analytics deployments in both managed and self‑hosted models.

Rethinking analytics as critical infrastructure
The issues above raise questions about how organizations should define critical infrastructure. If a system shapes executive decisions, aggregates sensitive data and connects to multiple core services, it should be treated as high‑risk by default. That applies regardless of whether the system is labeled “analytics”, “operations” or “productivity”.

Asking the right analytics-platform questions

Security teams should be asking hard questions about these platforms. What level of access do they have? Which credentials do they store? How are changes monitored? How quickly can vulnerabilities be remediated? Most importantly, who owns the risk?

As enterprises continue to consolidate capabilities into powerful, interconnected platforms, the consequences of overlooking “non‑traditional” attack surfaces are likely to grow.

Analytics platforms are no longer passive observers of business activity. They are active participants in how organizations function, and should be incorporated into broader security and governance strategies alongside other critical systems.

Editor’s note: Organizations may benefit from referencing independent security benchmarks, shared‑responsibility guidance and multi‑vendor best practices when defining controls for analytics platforms, rather than relying solely on individual research disclosures or a single provider’s perspective.