The assumption that trips up most organisations isn’t that cloud is insecure. It’s that because the cloud provider is a massive, well-resourced company, they’re handling the security problem.
They’re not. Not the part that matters for your data.
AWS, Azure, and Google Cloud are responsible for the physical datacentre, the virtualisation layer, the network fabric. Everything you build on top of that — your storage buckets, your IAM configuration, your workloads, your data — that’s your responsibility. This is called the shared responsibility model, and it’s documented clearly in every major provider’s terms. Most organisations understand it theoretically and then proceed to act like it doesn’t apply to them.
That’s why, per the Cloud Security Alliance, 82% of data breaches now involve cloud infrastructure. Not because cloud is inherently insecure. Because organisations are repeatedly getting their side of the shared responsibility model wrong.
The failure mode that shows up everywhere
I’ve seen versions of this story more times than I can count:
A developer needs to test something quickly. They spin up a storage bucket, set it to public because private would require extra configuration steps they don’t have time for right now. They test their thing. They move on. The bucket stays. Six months later it’s still public. Still contains the test data that happened to include real customer records from a staging environment.
Nobody hacked anything. The bucket was just sitting there. In 2024, one in five companies had at least one cloud storage resource configured this way, per NordLayer’s research.
Multiply that pattern across IAM roles, network security groups, database access controls, and API gateway configurations — all the places where the default setting is “permissive” because permissive is easier to set up — and you start to understand why cloud security is fundamentally a configuration management problem more than it’s a technology problem.
Visibility: the problem under the problem
Even when organisations catch misconfigurations, they often miss what happens afterward. An attacker who gains initial access — through stolen credentials, a phishing link, an unpatched application — doesn’t stop at one system. They move laterally. They escalate privileges. They work toward whatever they came for.
Only 17% of organisations have proper visibility into east-west traffic within their cloud environments, according to Check Point’s 2025 Cloud Security Report. East-west is the traffic moving between systems inside your environment — as opposed to north-south traffic coming in from outside. Most security tools focus on the perimeter. Attackers, once inside, move sideways.
If you can’t see lateral movement, you can’t stop it. This is why detection and response capability matters as much as prevention. You will have incidents. The question is whether you’ll know about them.
Hybrid environments make all of this harder
Most enterprises don’t run clean cloud-native architectures. They have on-premises systems still doing important work, connected to cloud workloads through VPNs, API integrations, and third-party services. Each connection is an opportunity for inconsistency — different security policies, different logging formats, different access controls, different people responsible for each side.
Gigamon’s 2025 hybrid cloud security survey found more than 55% of organisations suffered a cloud breach in the past year, up 17% from the prior year, with half saying their existing tools failed to detect it.
The failure to detect is the part worth focusing on. These weren’t zero-day exploits. They were intrusions that existing tools should have caught and didn’t, because the tools were designed for one environment and the attack moved between two.
AtmosSecure’s cloud network security services are built for this specifically — monitoring across cloud, on-premises network, and endpoint through a 24/7 managed SOC that treats the hybrid environment as one problem rather than forcing you to stitch together separate tools.
What actually helps
Zero trust gets discussed constantly and implemented incompletely. The core principle — treat no user or workload as trusted by default, require verification regardless of where the request originates — is sound and worth pursuing, but it’s a direction more than a destination. Start with IAM: audit what your service accounts can actually access. It’s almost always more than they need.
Configuration audits catch drift. Cloud environments change fast — teams deploy infrastructure, update policies, modify access controls — and the security posture drifts from what it was last month. Automated scanning helps, but it doesn’t replace periodic human review of what’s actually in your environment.
Encryption at rest and in transit sounds obvious. It’s still missing in surprising places.
Incident response plans need to be written for how your cloud environment actually works, not adapted from on-premises documentation. The containment steps are different. The forensics are different. Test them.
FAQs
What is cloud infrastructure security?
Everything involved in protecting what you build and run on cloud platforms — access controls, workload security, network traffic, data protection, and configuration management. Your provider handles the physical layer. Everything above that is yours.
What are the biggest challenges?
Misconfiguration sits at the top, followed by IAM failures, limited visibility into lateral movement, and the complexity of hybrid environments where on-premises and cloud systems intersect.
How does cloud network security help?
By monitoring traffic between systems, detecting anomalous behaviour, and limiting how far an attacker can move if they gain entry. Detection is as important as prevention.
What is hybrid cloud security?
Security strategy for environments where on-premises and cloud systems both do important work and need consistent policy and unified visibility — rather than being secured as two separate half-problems.
What are the best practices?
Zero trust and least-privilege access. Regular configuration audits. Encryption everywhere. Incident response plans built specifically for cloud environments. And continuous monitoring across the full estate, not just the perimeter.
