Rethinking Cloud Security: Why Standard Approaches Fall Short

The shift from on-premises to the cloud to store sensitive data provides significant organisational benefits, but also significantly increases cyber-risks.

According to the Thales 2024 Cloud Security Study, 44% of organisations have suffered a cloud data breach.

The way data is managed and stored in cloud environments means that threat actors target these systems in specific ways. As a result, traditional security strategies are often ineffective against cloud attacks.

It is critical that organisations recognise this reality and understand their roles in securing cloud environments – gaining as much support as possible from their cloud providers. 

In on-prem environments, there has been a notable shift towards vulnerability exploitation to infiltrate networks.

For example, Mandiant’s M-Trends 2025 Report found that vulnerability exploitation was the most common initial access method in 2024, observed in 33% of cases. Email phishing was in third place, at just 14%.

However, the same report highlighted a different picture when it comes to cloud environments. Here, email phishing was the most common initial access vector, at 39%. Other social engineering techniques like SIM swapping (6%) and voice phishing were also prevalent (6%).

Another prominent approach was stolen credentials, at 35%.

This data demonstrates that attackers are targeting user accounts in the cloud at a significantly higher rate than for on-prem.

This is because of the critical nature of these accounts in protecting data stored in the cloud, via services such as software-as-a-service (SaaS) and cloud storage apps.

Research from Obsidian Security found that SaaS breaches increased by 300% in the 12 months from September 2023.

SaaS is a cloud-based delivery model where a vendor hosts and manages applications, and users access them over the internet. The integrated nature of SaaS platforms means a single compromised identity allows threat actors to easily move laterally across multiple applications.

Obsidian found that 85% of SaaS breaches began with a compromised identity, with traditional security tools struggling to protect the complex web of SaaS applications, identities and integrations.

A high-profile SaaS-based incident in 2024 occurred when cybercriminals successfully compromised cloud data warehousing platform Snowflake via stolen credentials. The incident saw over 160 companies with Snowflake deployments warned that they could be impacted, including telecoms giant AT&T. Approximately $2.5m was extorted as part of the campaign.

Mandiant found that the stolen credentials were primarily obtained from infostealer malware campaigns that infected the work or personal computers of employees and contractors who accessed Snowflake customer instances.

A Red Canary report from March 2024 also noted that adversaries behave differently in the cloud compared to other systems. They typically steal short-term tokens to gain access to and abuse APIs for privilege escalation.

This malicious activity is difficult to detect as authorised users leverage these same tokens and APIs.

In response to these cloud attack trends, organisations must adopt specific strategies for these environments, in close coordination with their cloud providers.

The Obsidian study found that adversary-in-the-middle (AiTM) attacks accounted for 39% of SaaS breaches. AiTM occurs when attackers intercept data between two systems to access information like login and MFA credentials.

MFA options such as SMS and email notifications are vulnerable to this approach.

As a result, it is vital that MFA options are used that can withstand AiTM and other common bypass techniques. These include hardware security keys, which necessitate the user physically inserting a key in the device or tapping it.

Strict IAM policies that follow zero trust principles are especially important for cloud environments.

IAM and zero trust is not about stopping breaches occurring, but rather ensuring they have limited impact and do not spread throughout cloud environments.

These policies should ensure strict delimited rules on the systems that accounts can access – including what individual users can access, at what times they can do so and from what devices.

High-profile cloud providers, including Microsoft, Amazon and Google, have made significant strides towards providing passwordless authentication options for customers.

During the Google Cloud Next 2025 event, the firm told Infosecurity that it is on a “journey of killing off the password,” seeking to firstly enforce mandatory MFA before making the full shift.

Cloud customers should embrace this move, as it removes the threat of compromised credentials as a gateway into their environments. They should also ensure they only use cloud providers that have a passwordless offering, or plan to do so.

ADVERTISEMENT

Continuous monitoring and detection capabilities should be in place to ensure that common cloud breach causes are identified rapidly, including unauthorised access and misconfigurations.

This detection must extend across the entire cloud supply chain, with attackers frequently targeting open-source components and third-party cloud integrations to infiltrate these environments.

Continuous monitoring for third-party cloud dependencies should also be in place to understand the changing cloud attack surface.

Jurgen Kutscher, VP at Mandiant Consulting, told Infosecurity: “Security teams have a hard time keeping up with the business when they get new SaaS providers, and corporate security doesn’t sometimes keep tabs on all the places where corporate data can now live.”

The shared responsibility model in the cloud aims to clearly show where the security responsibility for cloud providers ends, and where the customer’s responsibility begins.

Traditionally, some security responsibilities will always be the customer’s, such as IAM of the assets, user security and credentials or endpoint security. Other security tasks will typically fall under the cloud providers remit, like the safety and security of the physical layer and all associated hardware and infrastructure, including the facilities that run cloud resources.

In many cases it has been argued that cloud providers could provide stronger security by default than they do, which would ease customers’ burden. This includes enforcing strong configurations, promoting secure authentication methods and proactively detecting abuse within cloud services.

At Google Cloud Next, Yasmeen Ahmad, Managing Director for Data and Analytics at Google Cloud, advocated for a “shared fate” model, in which cloud providers are just as concerned for their customers’ data as the customers themselves.

Such a model will need to be driven by market demand, with customers refusing to use providers who do not put the strongest possible security by default mechanisms in place.

The shift to the cloud poses a different set of security challenges for organisations, who need to adapt their strategies accordingly.

This includes a greater focus on account protection and putting in place mitigations that account for inevitable human error.

In this environment, customers should also expect, and demand, greater security by default from their cloud providers.

Enjoyed this article? Make sure to share it!

Looking for something else?