Key Takeaways
- Move beyond annual audits to continuous monitoring (FedRAMP Rev 5).
- With hybrid-cloud blurring lines, Zero Trust and phishing-resistant MFA are non-negotiable.
- Use Cloud Security Posture Management (CSPM) to automate guardrails.
As cloud adoption continues to grow, compliance is becoming more critical than ever. Industry research has warned for years that cloud misconfigurations are the driving force behind a staggering percentage of data breaches. In 2024, for instance, 23% of cloud security incidents stemmed from misconfigurations. This is particularly concerning in a cloud-native world, where a single error can expose millions of records in seconds. Configurations change rapidly across dynamic cloud environments, creating security gaps.
While adhering to industry standards likeSOC2helps ensure a baseline of compliance, there is an urgent need for continuous oversight. This is why FedRAMP Rev 5 (built upon the NIST SP 800-53 Rev 5 framework) requires organizations to implement continuous monitoring, automated alerts, and incident response protocols that go beyond static, point-in-time audits.
Cloud Threats and Challenges
As Jon Sabberton, Senior Manager at Mandiant, stated in an RSACTM 2025 Conference presentation, “99% of organizations are currently running some form of hybrid infrastructure.” Sabberton went on to explain that while many security vendors are pushing organizations toward the cloud, this transition creates significant challenges. These include the increasingly blurred lines between on-premises and cloud environments, an extended attack surface, the heightened risk associated with third-party and external access, and the reality that modern attacks are becoming increasingly multi-dimensional.
Sabbertons’ co-speaker, Rupanjana Mukherjee, Principal Security Architect at Google at Mandiant, highlighted three primary categories of actors targeting cloud environments:
1. Advanced Persistent Threat (APT) Actors: These are the most difficult to detect because they are typically not motivated by immediate financial gain. They often work with nation-states and can remain hidden within a network for months or even a year.
2. FIN Actors: These are financially motivated threat actors. They are generally easier to identify because their motives are clear; they typically target organizations with ransomware and demand payment.
3. UNC (Unclassified): These are technical actors who deploy phishing attacks or conduct cloud account takeovers. Their motives can be split between financial gain or working closely with nation-state interests.
Mukherjee explained several specific challenges organizations face when managing hybrid and multi-cloud setups:
Multiple Identity Planes
When an organization manages on-premises systems alongside one or two cloud environments, they often end up with multiple identity planes. While on-premises systems typically useActive Directory to manage identities, every cloud platform has its own unique set of rules and identity solutions. These disparate systems often "talk" to each other, creating bridges that attackers leverage to steal credentials and move laterally across platforms.
Lack of Segmentation
A significant issue in cloud security is the lack of proper segmentation. As Mukherjee noted, "In almost every environment, there is a mix of dev/test workloads hosted within the same network boundary that holds critical production data." Attackers often leverage these less-secure entry points to gain a foothold, then move within the network to compromise the hosts that hold critical production data.
Inconsistent Security Controls and Abuse of Trust
Inconsistent security controls have become more prominent as organizations juggle multiple cloud platforms, each with its own configurations and management planes. This leads to an Abuse of Trust, where an attacker gets in toon-premises environment and uses integrated identities or VPNs to "hop" into the cloud environment and take over cloud solutions.
Governance and Monitoring Gaps
Finally, maintaining consistent patching, governance, and monitoring remains a major struggle. Organizations often face a "disparity of visibility," questioning whether they have sufficient logs and detection capabilities across all their cloud and physical assets to see a threat coming.
This is why detecting lateral movement in a hybrid cloud is the key to modern defense. In practice, this means unifying monitoring tools and analytics across all platforms.
Five Steps to Take to Stay Compliant
Organizations that store and utilize data in the cloud must comply with several regulations and policies. These requirements vary by industry; for example, healthcare providers increasingly store patient data in the cloud and must abide by HIPAA rules and regulations. Similarly, financial organizations are responsible for ensuring they adhere to X9 standards (the Accredited Standards Committee for the financial sector). Furthermore, those operating within the EU—or serving EU clients—must remain compliant with the Digital Operational Resilience Act (DORA), the General Data Protection Regulation (GDPR), and the EU AI Act. Ultimately, it is crucial to align an organization’s infrastructure and workflows with the appropriate policies and regulations to ensure they remain compliant.
1. Establish a shared responsibility model: As Rich Mogull, Chief Analyst at Cloud Security Alliance noted at RSAC 2025 Conference presentation, this framework is vital because "It defines what the provider is responsible for and what the consumer is." Beyond the provider level, organizations should create a detailed internal version for their own teams. This ensures everyone knows their specific duties, effectively preventing ownership gaps where tasks might otherwise fall through the cracks. Without this clear mapping, teams often remain unaware of their compliance obligations.
2. Implement Cloud Security Posture Management (CSPM): CSPM, which is a process of continuous monitoring and assessing security posture, is great for those using the cloud because it focuses on infrastructure, monitoring resources, and configurations to reduce the risk of cloud breaches. This process improves visibility, automates detection and remediation, and reduces both risk and long-term costs.
3. Use frameworks: Organizations should use frameworks, like FISMA, which manage risk based on low, moderate, or high impact levels using NIST SP 800-53 controls as Robert Buccigrossi, CTO at TCG, stated in his RSAC 2025 Conference presentation. Whether using on-premises solutions or cloud offerings—which require FedRAMP certification to meet NIST standards—maintaining these boundaries is critical when securing sensitive data within LLM environments.
4. Leverage platforms with built-in guardrails: Several platforms, like Google Cloud Platform (GCP), AWS, or Azure, offer built-in guardrails. These are automated sets of rules and constraints that govern resource usage, and organizations should implement them to enforce security policies and ensure consistent compliance across their entire environment.
5. Implement a Zero Trust Architecture: The majority of cloud security failures are identity failures, and all identity failures are governance failures. To address this, organizations must shift their mindset and implement a Zero Trust architecture. Zero Trust is not a single product, it’s a principle and a fundamental shift in mindset to "never trust and always verify" every access request. A critical part of this is reinforcing Multi-Factor Authentication (MFA)—moving beyond basic SMS codes to phishing-resistant methods like hardware keys, passkeys, or biometric authenticators.
Finally, organizations should stay informed by regularly reviewing the latest updates from NIST regarding the Cybersecurity Framework 2.0, the Center for Internet Security (CIS) for cloud benchmarks, and the Cloud Security Alliance (CSA) for the latest trends in AI and cloud controls. Find more resources on the CLOUD Act here and visit our RSAC library to learn more about how to remain compliant in the cloud and how to maintain that compliance over time.