Cloud computing is a staple in today’s business environment, enabling companies to leverage Large Language Models (LLMs), store customer data, and scale their tech stack. Developing a robust cloud security strategy has emerged as a key concern. Most enterprises are still sluggish to make the shift to cloud-based ecosystems.
Safeguarding cloud networks is very different from securing data stored on-premises. Not only are enterprises dealing with disparate third-party service providers, but threat actors have adopted savvy tactics specifically designed to exploit cloud vulnerabilities. Unfortunately, many organizations currently lack the technical prowess and operational processes required to combat these threats.
On average, the cost of a data breach in public clouds was US$5.17 million in 2024, as reported in IBM’s Cost of a Data Breach Report. Recent headlines, such as the cyberattack on multi-cloud warehousing platform Snowflake, also exemplify the vulnerability of cloud computing and highlight the need for a threat mitigation strategy. In this specific instance, hundreds of millions of customers were affected across major brands like Ticketmaster, AT&T, and Santander Bank.
Enterprises must take a more proactive approach toward cloud protection if they want to avoid falling victim to a large-scale attack. To assist enterprises in crafting a cloud security strategy, ABI Research's expert analysts share four steps to protect cloud networks from threat actors. These proven tactics were identified through various interviews with cybersecurity professionals with expertise in cloud, hybrid, and multi-cloud environments.
What Is Cloud Security?
A secure cloud architecture refers to the set of technologies, policies, and strategies designed to protect data, applications, and infrastructure hosted in cloud environments from unauthorized access, breaches, and other cyberthreats. It ensures that businesses can leverage the scalability and flexibility of cloud computing, while maintaining robust safeguards against risks like data loss or service disruptions.
Cloud security frameworks enable digital transformation, while ensuring the need for robust compliance measures in an increasingly connected world. Besides implementing Zero Trust policies, it’s also essential to couple cloud deployment with encryption tools such as Hardware Security Modules (HSMs), Key Management Systems (KMSs), firewalls, threat monitoring software, and quantum-resistant encryption.
Top Cloud Security Challenges
Several critical challenges hinder enterprises’ ability to successfully mitigate cyber risks for the cloud.
- Complexity of Multi-Cloud Environments: Reliance on multiple cloud providers makes vulnerability management more difficult and heightens the risk of vendor lock-in, limiting the effectiveness and flexibility of cybersecurity strategies.
- Limited Tool Interoperability: Cloud-native security tools are often restricted to their respective platforms, creating difficulties in integrating and optimizing security across a fragmented multi-cloud ecosystem.
- Security Consistency and Breach Replication: A security weakness or misconfiguration in one cloud environment is likely to be duplicated across others. This compounds the risk potential data loss.
- Talent Shortage: Many organizations lack the skilled personnel needed to manage cloud-specific security, increasing the likelihood of misconfigurations. This is particularly pronounced in Asia-Pacific, where cloud misconfiguration-related data leaks exceed the global average by 5%.
- Cost and Operational Burden: Hiring or upskilling cybersecurity talent adds significant IT overhead and financial strain, making it harder for businesses to scale secure cloud operations efficiently.
- Regulatory Compliance Pressure: Heavily regulated sectors must navigate evolving rules around data privacy and sovereign cloud, requiring shifts in corporate governance and investment priorities.
- Resource Overextension: IT teams must balance securing both legacy on-premises systems and modern cloud infrastructure, underscoring the need for automation to relieve pressure on overstretched resources.
The rest of this article will delve into the best practices identified in the figure below.
1. Leverage a Root of Trust
A hardware root of trust is essential for implementing cryptographic safeguards, including data stored in the cloud. ABI Research analysts recommend enterprises to always use a Hardware Security Module (HSM). These tamper-resistant devices provide cryptographic capabilities to thwart unauthorized access to the network, as well as hashing capabilities for tokenization. For example, converting data into ciphertext prior to uploading it to the cloud prevents the theft of passwords, digital certificates, trade secrets, and other highly sensitive information.
An emerging trend that Senior Research Director Michela Menting has witnessed is the use of cloud security services like HSMs. She says, “More recently, market developments around cloud-based HSMs (and HSM-as-a-Service) have emerged to address some of this management complexity, with the option for enterprises to leverage HSM functionalities without having to own and operate the hardware themselves.” Menting stresses that this outsourcing of physical hardware greatly simplifies security management.
This secure, hybrid architecture enables enterprises to use their own HSM hardware on-premises, but leverage cloud-based HSM services for data protection. As we slowly approach a post-quantum world, you must select HSM solutions with quantum-safe features baked in. In particular, prioritizing a quantum-resistant root of trust will become increasingly important as existing symmetric algorithms become deprecated.
2. Adopt a Robust Cloud Key Management System
Another best practice is to use a Key Management System (KMS) supported by encryption tools, which streamlines the process of generating and distributing cryptographic keys. Fortunately for enterprises, many cybersecurity vendors have developed KMS solutions with regulatory compliance and ease of use in mind. In addition to being designed for cloud platforms, key management tools allow enterprises to protect data without making significant upfront investments.
A cloud-native KMS is becoming a common deployment for enterprises, providing much-needed simplicity in managing innumerable cryptographic keys across multi-cloud environments. Industry Analyst Aisling Dawson notes, “Cloud-based KMSs are a convenient way for organizations relying on the cloud for data storage or operations to isolate their cryptographic keys from the data they protect, providing a centralized dashboard wherein customers can create and manage keys.”
Again, a vital criterion that enterprises should be looking for in key management services is quantum readiness. Google Cloud KMS stands out in this regard, recently integrating two Post-Quantum Cryptography (PQC) algorithms approved by the National Institute of Standards and Technology (NIST). Other cloud service providers, such as Amazon Web Services (AWS), Oracle, IBM, and Microsoft are also building post-quantum cryptographic libraries to future-proof their KMS solutions.
3. Ensure Quantum-Resistance and Crypto-Agility
Choosing quantum-resistant tools is a key pillar to securing the cloud. Cryptographically relevant quantum computers are on the horizon, designed to break traditional cryptography. Industry experts estimate attack-capable quantum computers to emerge within 10 to 20 years. Therefore, forward-looking enterprises will seek cybersecurity solutions that leverage Post-Quantum Cryptography (PQC).
Although some PQC algorithms have already been selected, algorithm standardization is a fluid process. Industry stakeholders tell us they fear that PQC algorithms selected today may gradually become obsolete as new and improved algorithms are developed. It’s a valid concern, as enterprises don’t want to invest in a security solution that will be useless in a relatively short time span. For this reason, ABI Research advocates for crypto-agile security tools. Crypto-agility enables cloud-based data protection platforms aligned with governance protocols to easily update and swap out PQC algorithms as new ones become available.
4. Strengthen Cloud Security with Proactive Risk Monitoring
Cloud security involves a proactive approach to data protection through proactive risk assessment and monitoring. You should be blending threat intelligence from external sources with internal analysis to proactively identify potentially targeted data and mitigate cyber risks.
Enterprises and cloud providers share this responsibility. As Menting states, “While the function of the cloud provider is to offer a trusted platform for data, the onus is primarily on the enterprise to manage both the data and the security according to its own needs.”
This preemptive strategy ensures that businesses are leveraging data governance tools and access control policies for data discovery, classification, risk analysis, and compliance. As a result, they can make informed decisions on encryption, authentication, and access controls.
Implementing this strategy requires robust oversight and fine-grained management of both data and security technologies to address evolving threats effectively.
There’s No Digital Transformation Without Cloud Security
Creating a cloud security strategy is a must in today's digitally-driven world. While the cloud provides the scalability, cost savings, storage capacity, and processing capabilities required to power next-generation applications, it exposes sensitive data to new platforms that can be exploited. Building up a cloud security apparatus is a difficult task to take on alone as an enterprise. Many lack the expertise and resources needed to secure sensitive data across various cloud environments.
Following the guidance provided in this article is the first step to successfully securing the cloud, while scaling digitalization projects. Beyond that, enterprises must also find a cybersecurity partner that provides network visibility and effective identity management across multiple cloud environments and on-premises systems. For enterprises looking to stay on the frontline of quantum-safe security innovation, prioritizing solutions with post-quantum capabilities and crypto-agile deployment options will be key.
Further expert analysis on the world of cloud security can be found in the following reports from ABI Research's Quantum-Safe Technologies service: