Today is World Cloud Security Day, and ABI Research would like to dedicate the day to raising awareness around the threats posed by the cloud. Moreover, our analysts provide some advice on how enterprises can protect their data stored on cloud platforms.
Cloud computing is a staple in today’s business environment, enabling companies to leverage Large Language Models (LLMs), store customer data, and scale their tech stack. Cloud security has emerged as a key concern, with most enterprises still struggling to adapt to the shift to cloud-based ecosystems. Securing data stored in the cloud is very different from securing data stored on-premises. Not only are you dealing with disparate third-party service providers, but threat actors have adopted savvy tactics specifically designed to exploit cloud vulnerabilities. Unfortunately, many enterprises currently lack the technical prowess and operational processes required to combat these threats.
On average, the cost of a data breach in public clouds was US$5.17 million in 2024, as reported in IBM’s Cost of a Data Breach Report. Recent headlines, such as the cyberattack on multi-cloud warehousing platform Snowflake, also exemplify the vulnerability of cloud computing. In this specific instance, hundreds of millions of customers were affected across major brands like Ticketmaster, AT&T, and Santander Bank. Enterprises must take a more proactive approach toward protecting their cloud data if they want to avoid falling victim to a large-scale attack. Such a scenario would not only damage your brand reputation, but it comes with financial losses, scrutiny from regulators, and diverting resources to cleanup—all of which impact the bottom line.
To assist enterprises in building a successful cloud security strategy, ABI Research shares four best practices proven to keep data from the hands of threat actors. These best practices were identified through various interviews with cybersecurity professionals and leading security vendors with expertise in cloud, hybrid, and multi-cloud environments.
What Is Cloud Security?
Cloud security refers to the set of technologies, policies, and best practices designed to protect data, applications, and infrastructure hosted in cloud environments from unauthorized access, breaches, and other cyberthreats. It ensures that businesses can leverage the scalability and flexibility of cloud computing, while maintaining robust safeguards against risks like data loss or service disruptions.
Cloud security enables digital transformation, while ensuring the need for trust and compliance in an increasingly connected world. Besides implementing Zero Trust policies, it’s also essential to couple cloud deployment with advanced cybersecurity tools such as Hardware Security Modules (HSMs), Key Management Systems (KMSs), firewalls, threat monitoring software, and quantum-resistant encryption.
Cloud Security Challenges
Several key challenges hinder enterprises’ ability to successfully craft a cloud security blueprint. For starters, it’s now common practice for enterprises to use multiple cloud services, relying on a multi-cloud ecosystem for their operations. This makes it increasingly difficult to secure the cloud environment, especially given challenges posed by “vendor lock-in.” Many of the cybersecurity tools offered by cloud providers are restricted to their own infrastructure. As a result, enterprises are limited in terms of what cloud security solutions are available to them. Interoperability challenges are another crucial obstacle here: multi-cloud ecosystems often rely on various, disparate cloud security solutions from different providers, fixating enterprises on maximizing solution interoperability, rather than optimizing overall cloud security.
Often, a data security challenge encountered in one cloud environment is replicated across other cloud environments. This compound effect of the resultant data loss can be cataclysmic to an enterprise, particularly where its cybersecurity resources are already scarce. Many firms simply do not have the required skills to effectively address cloud security threats. Without the right talent, misconfigurations are more prone to happen. Businesses in Asia-Pacific are especially susceptible to this threat, with 5% more data leaks being caused by cloud misconfigurations in the region than their global counterparts. And even if you hire the requisite talent or upskill existing employees, the increased costs and Information Technology (IT) overhead are not fiscally ideal from a business resources standpoint.
Making matters worse, heavily regulated industries must comply with new rules for handling cloud-based data. Cloud privacy and sovereignty laws will require a fundamental shift in corporate culture and investment priorities. If this weren’t enough, IT departments must also continue protecting their existing on-premises infrastructure, while securing new cloud networks. Resources are stretched thin, which necessitates businesses to adopt digital tools that can automate various functions of cybersecurity.
For these reasons, enterprises must adapt their cloud security strategy by using the following best practices.
1. Leverage a Root of Trust
A hardware root of trust is essential for protecting any data, including data stored in the cloud. As a best practice, enterprises should always use a Hardware Security Module (HSM). These tamper-resistant devices provide cryptographic capabilities to thwart unauthorized access to the network, as well as hashing capabilities for tokenization. For example, converting data into ciphertext prior to uploading it to the cloud prevents the theft of passwords, digital certificates, trade secrets, and other highly sensitive information.
An emerging trend that Senior Research Director Michela Menting has witnessed is the use of cloud-based HSMs. She says, “More recently, market developments around cloud-based HSMs (and HSM-as-a-Service) have emerged to address some of this management complexity, with the option for enterprises to leverage HSM functionalities without having to own and operate the hardware themselves.” Menting stresses that this outsourcing of physical hardware greatly simplifies cloud security management.
While some companies choose a full-fledged as-a-Service (aaS) deployment, others choose a hybrid model. Hybridized cloud security enables enterprises to use their own HSM hardware on-premises, but leverage cloud-based HSM services for data protection.
As we slowly approach a post-quantum world, you must select HSM solutions with quantum-safe features baked in. In particular, prioritizing a quantum-resistant root of trust will become increasingly important as existing symmetric algorithms become deprecated.
2. Adopt a Robust Cloud Key Management System
Our next cloud security best practice is to use a Key Management System (KMS), which streamlines the process of generating and distributing cryptographic keys. Fortunately for enterprises, many cybersecurity vendors have developed KMS solutions with regulatory compliance and ease of use in mind. In addition to being designed for cloud platforms, key management tools allow enterprises to protect data without making significant upfront investments.
A cloud-native KMS is becoming a common deployment for enterprises, providing much-needed simplicity in managing innumerable cryptographic keys across cloud environments. Industry Analyst Aisling Dawson notes, “Cloud-based KMSs are a convenient way for organizations relying on the cloud for data storage or operations to isolate their cryptographic keys from the data they protect, providing a centralized dashboard wherein customers can create and manage keys.”
Again, a vital criterion that enterprises should be looking for in key management services is quantum readiness. Google Cloud KMS stands out in this regard, recently integrating two Post-Quantum Cryptography (PQC) algorithms approved by the National Institute of Standards and Technology (NIST). Other cloud service providers, such as Amazon Web Services (AWS), Oracle, IBM, and Microsoft are also building post-quantum cryptographic libraries to future-proof their KMS solutions.
3. Ensure Quantum-Resistance and Crypto-Agility
Choosing quantum-resistant tools is a key pillar to adequately securing cloud environments. Cryptographically relevant quantum computers are on the horizon, designed to break traditional cryptography. Industry experts estimate attack-capable quantum computers to emerge within 10 to 20 years. Therefore, forward-looking enterprises will seek cybersecurity solutions that leverage Post-Quantum Cryptography (PQC).
Although some PQC algorithms have already been selected, algorithm standardization is a fluid process. Industry stakeholders tell us they fear that PQC algorithms selected today may gradually become obsolete as new and improved algorithms are developed. It’s a valid concern, as enterprises don’t want to invest in a cloud security solution that will be useless in a relatively short time span. For this reason, ABI Research advocates for crypto-agile security tools. Crypto-agility enables cloud-based data protection platforms to easily update and swap out PQC algorithms as new ones become available.
4. Strengthen Cloud Security with Proactive Risk Monitoring
Cloud security involves a proactive approach to data protection through vigorous risk assessment and monitoring. You should be blending threat intelligence from external sources with internal analysis to proactively identify potentially targeted data and mitigate cyber risks.
Enterprises and cloud providers share this responsibility. As Menting states, “While the function of the cloud provider is to offer a trusted platform for data, the onus is primarily on the enterprise to manage both the data and the security according to its own needs.”
This preemptive strategy ensures that businesses are leveraging data governance tools for data discovery, classification, risk analysis, and compliance. As a result, they can make informed decisions on encryption, authentication, and access controls.
Implementing this best practice requires robust oversight and fine-grained management of both data and security technologies to address evolving threats effectively.
There’s No Digital Transformation Without Cloud Security
Cloud computing is an absolute necessity for the modern enterprise. It provides the scalability, cost savings, storage capacity, and processing capabilities required to power Generative Artificial Intelligence (Gen AI) and other next-generation technologies. Despite these benefits, cloud security is a difficult task to take on alone as an enterprise. Many enterprises lack the expertise and resources needed to secure sensitive data across various cloud environments.
Following these best practices is the first step to successfully securing the cloud, while scaling your digitalization projects. You must also find a cybersecurity partner that provides network visibility across multiple cloud environments and on-premises systems. For enterprises looking to stay on the frontline of cloud security innovation, prioritizing solutions with post-quantum capabilities and crypto-agile deployment options will be key.
For more cloud security best practices, challenges, and vendor analyses, read the following reports from our Quantum-Safe Technologies Research Service:
