The traditional security measures that organizations have long used to protect on-premises data centers too often fail when applied to the dynamic nature of cloud environments. A full 47% of breaches in the past year originated from the cloud, according to Vanson Bourne. The problem is cloud infrastructure consists of a myriad of resources beyond just traditional compute, many of which are highly dynamic and elastic, designed to scale up and down and be consumed as needed. That blurs the lines of a fixed perimeter and makes it difficult to understand how resources interact and establish consistent boundaries.

The first step to improving cloud security is recognizing and addressing the main challenges currently impacting the landscape.

Problem #1: Built-In Security From Cloud Vendors Only Secures the Infrastructure

Cloud service providers are responsible for securing the underlying infrastructure and then, depending on whether the service being consumed is IaaS, PaaS, or SaaS, some additional level of service level security. And while the service providers offer a whole raft of security capabilities to their customers for protecting the resources they are consuming, the onus very much sits with the customers and not the service providers to do this to an adequate level, commensurate with their individual risk, threat and compliance landscape variables.

Organizations must create a holistic, tailored cloud security strategy that accounts for both cloud providers’ security offerings and the specific needs of their environments. Using cloud-native and third-party security tools addresses gaps in application security and data protection, and regular security audits will help ensure compliance with internal policies and regulatory requirements.

Problem #2: Cloud Environments are Complex and Ever-Changing

Unlike traditional networks with a trusted internal system and defined external perimeter, the hybrid and heterogeneous nature of cloud environments blurs network and trust boundaries. Conventional tools, such as intrusion detection systems or network access controls, that enforce security policies only at the perimeter become ineffective as workloads shift within and across environments. There is a demand for security policies that enable access control within the network itself, not just at the border.

Organizations should adopt a zero-trust model that does not rely on perimeter-based security but instead verifies every request based on user identity and device health. Continuous monitoring, threat detection systems and automated tools that adapt to the dynamic nature of cloud environments can further enhance security.

Problem #3: You Can’t Protect What You Can’t See

Threat actors often target the cloud because it’s an easy place to infiltrate and hide. With a majority of traffic happening between resources within cloud environments, simply focusing monitoring on the nebulous cloud “perimeter” is inadequate and results in a proliferation of blind spots.

To effectively monitor where bad actors hide within their networks, organizations need to understand how cloud services are interacting with one another, what they’re accessing and what security measures the providers supply. This requires comprehensive application-focused visibility into traffic across all workloads, both on-premises and in the cloud. Security teams use this information to see, prioritize and address risks that would otherwise be hidden.

Problem #4: It’s Easier for Attackers to Move in the Cloud

Cybercriminals will inevitably compromise your network and attempt to move laterally throughout the system to the most important resources. The fact that many organizations store these high-value assets in the cloud means that the impact of unauthorized access to cloud environments is potentially significant. Off-the-shelf cloud configurations, imperfect deployment processes and a large number of workloads cause complexity and blind spots, leaving cloud environments more vulnerable than ever.

To mitigate this risk, organizations should implement micro-segmentation to limit the movement of attackers within the cloud environment. Using behavioral analytics to detect anomalous activities that may indicate lateral movement or compromised assets, organizations can better contain potential threats.

Problem #5: Teams are Under Pressure to Adopt a Shift-Left Strategy and Speed up Development

As security teams embrace DevOps best practices like continuous integration and continuous delivery (CI/CD), there’s a growing need — and pressure from the C-suite and board — to shift-left security where defects or misconfigurations are identified earlier in the cloud application development cycle. However, overhauling and updating development processes means more up-front work that many security teams just don’t have the bandwidth for.

Organizations should incorporate security measures early in the development process through practices like automated code scanning, vulnerability assessments and security testing earlier in their pipelines. Integrating security practices into DevOps workflows ensures that security is a continuous, automated part of the development process without overwhelming bogged-down security teams.

Addressing the security challenges inherent in cloud computing requires a multi-faceted approach. Adopting a zero-trust model, implementing advanced monitoring tools and ensuring continuous security assessments are essential to navigate the complexities of ever-changing cloud environments. By developing robust, adaptive security strategies, organizations can effectively safeguard their cloud environments against evolving threats and ensure compliance with regulatory requirements.

While organizations will ultimately face numerous challenges in the cloud, the most cumbersome include built-in security limitations, complex environments, lack of visibility, lateral movement and the pressure to adopt shift-left strategies. The reality is that breaches are inevitable. The solution is not to thwart all attacks, but rather quickly identify, contain and mitigate the damage and, where possible, design infrastructure and applications to be resilient to attacks.