In April 2022, researchers at Wiz discovered that Microsoft Azure's PostgreSQL Flexible Server had vulnerabilities allowing cross-account database access. They called it ExtraReplica, and it affected thousands of Azure databases. This wasn't a theoretical exercise — it was a real demonstration that security in cloud computing remains dangerously misunderstood, even by the platforms themselves.
If you think migrating to the cloud makes you more secure by default, this post is for you. The cloud doesn't eliminate risk. It shifts it. And if your team doesn't understand where the new boundaries are, your organization is exposed in ways you probably haven't considered.
The Shared Responsibility Model Nobody Actually Follows
Every major cloud provider — AWS, Azure, Google Cloud — publishes a "shared responsibility model." The provider secures the infrastructure. You secure everything you put on it: data, access controls, configurations, identities.
In my experience, about 80% of organizations I've worked with think the cloud provider handles more than they actually do. They assume encryption is on by default. They assume logging is configured. They assume public access is blocked.
They're wrong most of the time.
The 2022 Verizon Data Breach Investigations Report found that the "miscellaneous errors" category — which includes cloud misconfigurations — accounted for a significant portion of breaches, with misconfiguration of cloud storage being a recurring theme. Your cloud provider will give you the tools. They won't use them for you. That's the gap where breaches happen.
Cloud Misconfigurations: The $4.35M Mistake
According to IBM's Cost of a Data Breach Report 2022, the average cost of a data breach reached $4.35 million globally. Cloud misconfigurations were among the most common initial attack vectors.
Here's what actually goes wrong:
- Storage buckets left public. The Capital One breach in 2019 exposed over 100 million records because of a misconfigured web application firewall on AWS. The fallout included an $80 million OCC fine and lasting reputational damage.
- Excessive permissions. Teams grant admin-level access to service accounts because it's faster than figuring out minimum necessary permissions. Then a single compromised credential gives a threat actor the keys to everything.
- Disabled logging. CloudTrail, Azure Monitor, GCP Audit Logs — these are your forensic lifeline. I've seen organizations disable them to save money, then have zero visibility when an incident occurs.
- Unencrypted data at rest. Many cloud services don't enable encryption by default. If you don't turn it on, your data sits in plaintext on shared infrastructure.
Every one of these is preventable. None of them require advanced technical skill. They require awareness and process discipline.
What Is Security in Cloud Computing, Really?
Security in cloud computing is the set of policies, technologies, controls, and practices that protect cloud-based systems, data, and infrastructure from unauthorized access, data breaches, and service disruption. It covers identity management, network security, data encryption, configuration management, compliance, and incident response — all adapted for environments where you don't control the physical hardware.
That's the textbook answer. Here's the practical one: it means you're responsible for locking doors in a building someone else owns. And the building keeps adding new doors you don't know about.
Identity Is the New Perimeter (And It's Under Constant Attack)
In a traditional data center, your firewall was your front door. In the cloud, identity is the perimeter. If a threat actor gets valid credentials, they walk straight through every network control you've built.
The 2022 Verizon DBIR confirmed that stolen credentials remain the single most common method for gaining unauthorized access. In cloud environments, this is amplified because a single set of credentials can access resources across regions, services, and even linked accounts.
Credential Theft Starts With Phishing
Most credential theft doesn't involve sophisticated zero-day exploits. It starts with a phishing email. Someone on your team clicks a link, enters their password on a convincing fake login page, and hands over the keys.
I've run phishing simulations for organizations of every size, and the click rates in the first round are consistently alarming — often between 15% and 35%. That's not a technology failure. It's a human one.
The fix starts with realistic, ongoing phishing awareness training for your organization. Not a once-a-year compliance checkbox. Regular simulations that teach employees to recognize social engineering attempts before they hand over credentials.
Multi-Factor Authentication Isn't Optional
If you're running cloud workloads without multi-factor authentication (MFA) on every account, you're leaving the vault door open. MFA stops the vast majority of credential stuffing and phishing-based attacks.
CISA has repeatedly urged organizations to enable MFA as a baseline security measure. Their MFA guidance is straightforward: enable it everywhere, prioritize phishing-resistant methods like FIDO2 keys, and eliminate SMS-based codes where possible.
Yet in 2022, a staggering number of cloud accounts still rely on passwords alone. If that's your organization, fix it today. Not next quarter.
Zero Trust: The Only Architecture That Makes Sense in the Cloud
The traditional castle-and-moat approach assumed everything inside your network was trusted. In the cloud, there is no "inside." Your employees work from home, from airports, from coffee shops. Your applications span multiple cloud providers and SaaS platforms.
Zero trust assumes no user, device, or network is inherently trusted. Every access request is verified. Every session is validated. Permissions are granted on a least-privilege basis and continuously evaluated.
NIST Special Publication 800-207 provides the definitive framework for zero trust architecture. If your security team hasn't read it, that's your next assignment.
Practical Zero Trust Steps for Cloud Environments
- Micro-segment your network. Don't let a compromised workload move laterally across your entire cloud environment. Use security groups, network policies, and service meshes to isolate resources.
- Implement least-privilege access. Audit every IAM role and service account. Remove permissions that aren't actively needed. Use just-in-time access for administrative tasks.
- Verify device posture. Before granting access to cloud resources, check that the device is managed, patched, and running endpoint protection.
- Log and monitor everything. Centralize your cloud logs into a SIEM. Set alerts for anomalous access patterns — logins from new geographies, impossible travel scenarios, bulk data downloads.
Ransomware Doesn't Care That You're in the Cloud
There's a dangerous misconception that cloud environments are immune to ransomware. They're not. Threat actors have adapted.
In 2022, ransomware groups increasingly target cloud-hosted backups and SaaS platforms. If your backup strategy is "we copy everything to S3," and that S3 bucket is accessible with the same credentials an attacker just stole, your backups are gone too.
The FBI's Internet Crime Complaint Center (IC3) reported that ransomware complaints continued to rise in their 2021 annual report, with adjusted losses exceeding $49 million from reported incidents alone. Many of these involved cloud-connected infrastructure.
Cloud-Specific Ransomware Defenses
- Immutable backups. Use object lock or WORM (Write Once Read Many) storage for critical backups. Even if an attacker gains administrative access, they can't delete or encrypt locked objects.
- Separate backup credentials. Your backup system should authenticate with completely different credentials than your production environment. Break the blast radius.
- Test your restores. A backup you've never restored is a hope, not a plan. Test full restoration quarterly at minimum.
Your Team Is Your Biggest Vulnerability — And Your Best Defense
Every cloud security failure I've investigated traces back to people. An engineer who left a database public. A finance manager who fell for a phishing email. A developer who hardcoded API keys into a GitHub repository.
Technology alone won't save you. Security awareness training is the single highest-ROI investment most organizations can make. And I don't mean the kind where employees click through slides and forget everything by lunch.
Effective training is ongoing, scenario-based, and tied to real threats your organization actually faces. If your team manages cloud infrastructure, they need to understand how social engineering attacks target cloud credentials specifically. They need to recognize OAuth phishing, fake SSO pages, and pretexting calls from "cloud support."
Start building that muscle with comprehensive cybersecurity awareness training that covers the threats your people encounter every day.
A Cloud Security Checklist You Can Use This Week
I'm not going to tell you to "develop a cloud security strategy" — you already know that. Here are specific actions you can take in the next five business days:
- Monday: Audit all public-facing storage buckets and containers. Revoke public access on anything that doesn't explicitly require it.
- Tuesday: Enable MFA on every cloud account that doesn't have it. Start with admin and root accounts.
- Wednesday: Review IAM policies. Identify any user or service account with full admin privileges and scope them down.
- Thursday: Verify that cloud audit logging is enabled in every region and every account. Confirm logs are shipping to centralized storage.
- Friday: Run a phishing simulation against your team. Use the results to justify ongoing security awareness investment.
None of these require purchasing new tools. All of them materially reduce your attack surface.
The Cloud Security Skills Gap Is Real
Here's what keeps me up at night: the demand for cloud security expertise far outstrips supply. The (ISC)² 2021 Cybersecurity Workforce Study estimated a global shortage of 2.72 million cybersecurity professionals. Cloud security specialists are among the hardest roles to fill.
That means your existing team needs to level up. Cross-train your developers on secure cloud configuration. Teach your IT operations staff about identity federation and secrets management. Make security everyone's job, not just the security team's.
And invest in training that goes beyond compliance. A data breach doesn't care whether you checked the annual training box. It cares whether your people can actually spot a threat and respond correctly.
Security in Cloud Computing Requires Continuous Effort
The cloud changes fast. AWS alone releases thousands of new features every year. Each new service introduces new configuration options, new IAM actions, and new ways to accidentally expose data.
Security in cloud computing isn't a project with a completion date. It's an ongoing discipline. You need automated scanning tools like AWS Config, Azure Policy, or GCP Security Command Center running continuously. You need regular penetration testing of your cloud environment. You need tabletop exercises that simulate cloud-specific incidents.
And most critically, you need a culture where every person in your organization understands that they play a role in keeping cloud resources secure. From the developer pushing code to the executive approving budgets, everyone owns a piece of this.
The organizations that get security in cloud computing right aren't the ones with the biggest budgets. They're the ones where security awareness is embedded into daily operations, where misconfigurations are caught before deployment, and where every employee knows what a phishing email looks like.
Start there. The rest follows.