The increasing migration of organizational data to the cloud brings both significant advantages and complex security challenges. In 2021, a striking 45% of all data breaches were cloud-based, a number projected to rise as more organizations leverage cloud services. While the cloud offers undeniable benefits like scalability, flexibility, and cost efficiency, its vast and intricate nature introduces unique security risks and hurdles like account hijacking, data breaches, misconfigurations, compliance issues, and limited visibility.

To mitigate these risks, organizations must prioritize visibility and accountability when selecting a public cloud provider. Jabez Abraham, Director of Enterprise Architecture at Asurion, emphasized these two critical priorities in his RSACTM 2023 webcast.

Abraham highlighted that in a public cloud environment, asking key questions about visibility is paramount. It's not just about logging everything; it's about determining what truly needs to be logged to effectively identify threats. Overly comprehensive logging can obscure crucial information, making it difficult to pinpoint genuine security concerns. Therefore, organizations should focus on logging relevant data, such as production traffic or denied access attempts.

Regarding accountability, Abraham stressed the importance of defining what constitutes "normal" behavior within cloud environments. This understanding helps in identifying anomalies and potential threats. Additionally, accountability extends to understanding support mechanisms and cost management within the cloud.

By focusing on these two principles, organizations can better secure their data and come up with mitigation strategies in complex public cloud environments.

How Do Attackers Get Into the Cloud?

In his RSAC TM 2025 Conference presentation, Nick Frichette, Staff Security Researcher at Datadog, shared insights gathered from 56 real-world security incidents, pointing out common initial access vectors in cloud and AWS environments. These frequently observed entry points include the exploitation of Internet-facing vulnerabilities, insider threats, social engineering attacks, and the abuse of identity access management (IAM) cross-account permissions. A significant finding was that leaked credentials served as the initial access point in a remarkable 65% of the analyzed incidents.

The widespread exposure of these leaked credentials is often linked to neglected assets. Neil Carpenter, Principle Technical Evangelist at Orca Security, and Bar Kaduri, Research Team Leader at Orca Security defined neglected assets in their RSACTM 2024 podcast as systems that haven't been patched recently, inactive user accounts, or outdated infrastructure. Carpenter reported that a staggering 81% of organizations have neglected assets exposed to the Internet, and many cybersecurity teams remain unaware of these vulnerabilities until after a security incident has occurred.

The vastness and often limited visibility of cloud environments make it easy to overlook these neglected assets. However, there's a solution: automation. As Carpenter emphasized, "Automating is important to find risks by automating scanning, and then looking at how it's deployed and how it's configured.” It’s nearly impossible to have cybersecurity teams manually keep track of what's deployed and configured correctly across the entire cloud infrastructure while focusing on other tasks. Therefore, automation is absolutely critical in the cloud to proactively find neglected assets and mitigate risks before an incident occurs.

How Can Organizations Investigate in the Cloud?

Cloud forensics is the specialized process of investigating cybercrime and incidents within cloud environments. However, as Prasad Purnaye, Assistant Professor at MIT World Peace University in India, highlighted in his RSACTM 2024 webcast, several significant challenges hinder effective cloud investigations. 

The top hurdles Purnaye identified include:

• Evidence Collection & Logging (due to visibility limitations): The ephemeral and distributed nature of cloud data, coupled with limited direct access, makes comprehensive evidence collection difficult.
• Forensic Tools: Many traditional forensic tools are not designed for or applicable to cloud environments, necessitating specialized solutions.
• Multi-tenancy: The shared infrastructure of cloud computing means numerous entities operate on the same platform, complicating the isolation and monitoring of specific user behaviors and traffic flows for evidence gathering.

For a complete list of challenges in cloud forensics, please refer to Figure 1.

Figure 1. Source RSAC 2024 Webcast

Further elaborating on the logging challenge in his RSAC TM 2025 Conference presentation, Ofer Maor, CTO of Mitiga, explained that basic cloud logging services, provide security highlights but often lack the granular detail required for thorough investigations. What's needed is activity logging, which captures every single action a user takes—from clicking a button to opening a file or sending an email. These comprehensive logs are inherently large and complex to manage, underscoring why automation plays a crucial role in making them usable.

To address the volume and complexity of cloud data for effective forensics, Maor recommended a data lake (data warehouse) approach. This approach is ideally suited for big data applications and ultimately provides a robust framework for cloud logging, analytics, and forensic investigations.

To effectively navigate the complexities of cloud security, organizations must prioritize visibility, accountability, and the strategic implementation of automation. By understanding common attack vectors, proactively identifying neglected assets, and embracing advanced forensic approaches like data lakes, businesses can significantly strengthen their cloud defenses and minimize the impact of future security incidents. To learn more, we invite you to register for our upcoming cloud security seminar.