While most enterprises have integrated cloud resources into their operations, many need to improve their ability to secure these environments and the data they contain, according to Thales.
Cloud security challenges go beyond technology
The variability of controls across cloud providers, combined with the distinct mindset required for cloud security, continues to challenge security teams. This pressure is only increasing as AI initiatives drive more sensitive data into cloud environments.
64% of respondents ranked cloud security among their top five security priorities, with 17% identifying it as their number one. Security for AI, a new addition to the list of spending priorities this year, ranked second overall. 52% of respondents said they are prioritizing AI security investments over other security needs, signaling a shift in how organizations are allocating budgets in response to the accelerated adoption of AI.
Despite sustained investment, cloud security remains a complex, persistent challenge that goes beyond technology to include staffing, operations, and the threat landscape.
“The accelerating shift to cloud and AI is forcing enterprises to rethink how they manage risk at scale,” Sebastien Cano, SVP, Cyber Security Products at Thales, said. “With over half of cloud data now classified as sensitive, and yet only a small fraction fully encrypted, it’s clear that security strategies haven’t kept pace with adoption. To remain resilient and competitive, organizations must embed strong data protection into the core of their digital infrastructure.”
This complexity extends to security operations, with many teams struggling to align policies across varied platforms. The study found that 61% of organizations use five or more tools for data discovery, monitoring, or classification, and 57% use five or more encryption key managers.
Attacks target cloud resources
Cloud infrastructure has become a primary target for attackers. As cloud adoption has surged and organizations continue to face challenges in securing these environments, threat actors are seizing the opportunity. According to the study, four of the top five most targeted assets in reported attacks are cloud-based.
The rise in access-based attacks, as reported by 68% of respondents, underscores concerns around stolen credentials and insufficient access controls.
Meanwhile, 85% of organizations say at least 40% of their cloud data is sensitive, yet only 66% have implemented MFA, leaving critical data exposed. Compounding the issue, human error remains a major contributing factor in cloud security incidents, from misconfigurations to poor credential management.
Encouragingly, organizations on average reported that they are encrypting an increasing proportion of their sensitive cloud data, but the figure remains far short of where it should be. Considering the increasing prevalence of authentication-based attacks, encryption must be in place to thwart attackers who break through access protections.
Top concerns about application security
Many of the latest advancements in application development and architectures take place in cloud infrastructure. Implementing cloud-native development methods and infrastructure as code can speed the delivery of new applications. However, these advances also require new security measures to address both the scope and the velocity of application deployment and operation.
Foremost is the need to secure the growing use of APIs. Automating cloud operations relies heavily on APIs, and more than a third of organizations reported using 500 or more. Mature use of AI services also typically takes place through APIs, making their security critical to AI initiatives. Regarding application security, concerns about API attacks (38%) took a back seat to code vulnerabilities (59%) and software supply chain issues (48%).
“A rising number of respondents report challenges in securing their cloud assets, an issue that is further amplified by the demands of AI projects that often operate in the cloud and require access to large volumes of sensitive data,” Eric Hanselman, Chief Analyst at S&P Global Market Intelligence 451 Research, said. “Compounding this issue, four of the top five targeted assets in reported attacks are cloud-based. In this environment, strengthening cloud security and streamlining operations are essential steps toward enhancing overall security effectiveness and resilience.”
