A Single Checkbox Left 540 Million Facebook Records Exposed
Back in 2019, researchers at UpGuard discovered that two third-party Facebook app developers had stored more than 540 million user records on Amazon S3 buckets with no access restrictions. Not encrypted. Not firewalled. Just sitting there, publicly readable, because someone didn't configure storage permissions correctly. That incident didn't happen because AWS was insecure. It happened because the humans using AWS made preventable mistakes.
Security in cloud computing isn't about whether your provider is trustworthy. AWS, Azure, and Google Cloud spend billions on infrastructure security. The problem is everything that sits on top of that infrastructure — your configurations, your access policies, your employees' credentials, and the assumptions your team makes about who's responsible for what.
I've spent years watching organizations migrate to the cloud and then act surprised when things go sideways. This post breaks down what actually goes wrong, what the data says, and what you can do about it right now.
The Shared Responsibility Model Is Where Security in Cloud Computing Breaks Down
Every major cloud provider operates on a shared responsibility model. They secure the physical infrastructure, the hypervisor, the network backbone. You secure everything else — your data, your identities, your configurations, your application code. Most organizations I've worked with understand this in theory. In practice, they treat the cloud like a managed service where security is someone else's problem.
The 2024 Verizon Data Breach Investigations Report found that the human element was involved in 68% of breaches. That number doesn't shrink when you move to the cloud. If anything, it grows, because the cloud gives every developer and IT admin the power to spin up resources, expose APIs, and create access keys — often without any security review.
Here's what actually happens: a developer creates an S3 bucket for a quick test, sets it to public, and forgets about it. An admin reuses credentials across multiple cloud accounts. Someone disables multi-factor authentication because it's slowing down a deployment pipeline. These aren't sophisticated attacks. They're operational failures.
What the Shared Responsibility Model Actually Looks Like
- Cloud provider handles: Physical security, hardware, global network, hypervisor patching
- Your organization handles: Identity and access management, data encryption, network configuration, OS patching, application security, employee training
If your team doesn't understand which side of that line they're on, your cloud environment is already at risk.
Misconfiguration: The #1 Cloud Threat That Isn't a Hack
The NSA and CISA published a joint advisory in 2024 identifying the top ten most common cybersecurity misconfigurations across organizations. Cloud storage misconfigurations, overly permissive access controls, and default credentials topped the list. These aren't zero-day exploits. A threat actor doesn't need advanced tools when the front door is standing open.
I've seen production databases exposed to the entire internet because a firewall rule used 0.0.0.0/0 instead of a specific CIDR block. I've seen IAM policies granting full administrative access to service accounts that only needed read permissions. Every single one of these was preventable with a basic configuration review.
According to CISA's misconfigurations advisory, default credentials and improper access controls remain the most exploited weaknesses. These issues don't require a sophisticated attacker — they require only a scanner and patience.
The Five Misconfigurations I See Most Often
- Publicly accessible storage buckets — S3, Azure Blob, GCS with no access restrictions
- Overly permissive IAM roles — service accounts with admin-level privileges
- Disabled logging and monitoring — CloudTrail or equivalent turned off to save costs
- Unencrypted data at rest — default settings left unchanged during setup
- No network segmentation — flat networks where lateral movement is trivial
Credential Theft Fuels Cloud Breaches
Phishing is still the primary way attackers get initial access to cloud environments. Once they have a valid username and password, they don't need to exploit anything. They log in. They look like a legitimate user. If you don't have multi-factor authentication enforced across every cloud account, you're running on borrowed time.
The FBI IC3 has consistently reported that business email compromise and credential theft account for the largest financial losses in cybercrime. In cloud environments, a single compromised credential can unlock access to dozens of services — email, file storage, databases, CI/CD pipelines, and more.
Social engineering campaigns targeting cloud administrators have become disturbingly effective. Attackers don't just send generic phishing emails anymore. They impersonate cloud provider support teams, send fake MFA reset notifications, and create login pages that are pixel-perfect replicas of your identity provider's sign-in screen.
This is exactly why running regular phishing awareness training for your organization isn't optional. Your employees are the last line of defense when technical controls fail — and they will fail if your people can't recognize a well-crafted phishing simulation.
What Is the Biggest Risk to Security in Cloud Computing?
The biggest risk to security in cloud computing is not a specific vulnerability or threat actor — it's the gap between what organizations assume is protected and what actually is. This gap exists because cloud environments change constantly. New services get deployed weekly. Configurations drift. Employees rotate. Documentation falls behind.
In my experience, the organizations that get breached aren't the ones with the weakest technology. They're the ones with the weakest processes. They don't audit IAM policies quarterly. They don't review security group rules after deployments. They don't train their people on what credential theft looks like in a cloud context.
Closing that gap requires three things: visibility into your configurations, enforcement of least-privilege access, and continuous security awareness training. Without all three, you're hoping for the best.
Zero Trust Isn't a Product — It's Your Cloud Security Strategy
Zero trust architecture has become the de facto standard for cloud security, and for good reason. The old perimeter-based model assumed that everything inside your network was trusted. In the cloud, there is no perimeter. Your applications run across regions, your data flows between services, and your users connect from everywhere.
Zero trust means every request is verified, regardless of source. Every user authenticates. Every device is validated. Every API call is logged. NIST Special Publication 800-207 provides the framework, but implementation is where most organizations struggle.
Practical Zero Trust Steps for Cloud Environments
- Enforce MFA everywhere — no exceptions for service accounts or admin roles
- Implement least-privilege access — review and trim IAM permissions monthly
- Segment your network — use VPCs, security groups, and private subnets
- Log everything — enable CloudTrail, Azure Monitor, or GCP Audit Logs and actually review them
- Encrypt data in transit and at rest — use provider-managed or customer-managed keys
- Validate endpoints — don't trust a device just because it has a VPN connection
Ransomware Hits Cloud Environments Harder Than You Think
There's a dangerous myth that ransomware is only a problem for on-premises systems. In reality, ransomware operators have adapted. They target cloud-hosted file shares, encrypt cloud-native databases, and exfiltrate data from SaaS platforms before detonating payloads. If your backup strategy relies on cloud snapshots that live in the same account as your production data, an attacker with admin credentials can delete those snapshots before you even notice.
I've investigated incidents where ransomware groups used compromised cloud credentials to disable logging, delete backups, and encrypt storage volumes — all within a 90-minute window. By the time the SOC got an alert, the damage was done.
Protecting against this requires immutable backups stored in a separate account, with separate credentials, and access policies that prevent deletion even by administrators. It also requires people who know what to look for. Investing in cybersecurity awareness training for your team gives your entire staff the foundational knowledge to recognize threats before they escalate.
The Training Gap Is Your Biggest Vulnerability
Technical controls matter. But every firewall rule, every IAM policy, every encryption key is configured by a person. If that person doesn't understand the threat landscape — if they can't recognize a phishing email, don't know what least privilege means, or think security is someone else's job — your cloud environment is vulnerable no matter how much you spend on tools.
Security awareness isn't a one-time checkbox. It's a continuous process. The threat actors evolve constantly, and your team's knowledge needs to keep pace. Regular phishing simulations, configuration review training, and incident response exercises are what separate organizations that get breached from organizations that catch threats early.
Your cloud provider will not save you from your own mistakes. Your security tools will not compensate for untrained staff. The only sustainable approach to security in cloud computing is building a culture where every employee understands their role in protecting the organization — and has the skills to do it.
Start Here: Three Things You Can Do This Week
- Audit your cloud IAM policies. Identify every account with admin-level access and verify it's justified. Remove everything that isn't.
- Enable MFA on every account. Not just admin accounts. Every single account with access to your cloud environment.
- Launch a security training program. Start with foundational cybersecurity awareness training and follow up with targeted phishing simulations to test and reinforce what your team learns.
The cloud isn't inherently insecure. But it's inherently unforgiving of carelessness. The organizations that thrive in 2026 are the ones that treat security in cloud computing as a daily discipline — not a quarterly audit.