Todd Moore | Vice President, Data Security Products, Thales
Thales has just released the 2025 Cloud Security Study, providing a comprehensive view into the challenges, priorities, and progress of organizations managing cloud security.
Based on insights from nearly 3200 respondents across 20 countries, the study confirms an uncomfortable truth: while organizations prioritize cloud security investment, growing complexity, rising AI-related pressure, and widening gaps in data protection are leaving them at risk. And, with more data, applications, and workloads shifting to the cloud, the stakes have never been higher. Let’s dive in.
Key Insights from the 2025 Cloud Security Study
- Security for AI enters the top three spending priorities, second only to general cloud security
- Only 8% of organizations encrypt 80% or more of their cloud data, leaving sensitive assets exposed
- One in three enterprises now use 500+ APIs, broadening the potential attack surface
- 55% say cloud is more complex to secure than on-premises, up from 51% last year
- Tool sprawl remains a challenge, with 57% using five or more key management systems
The AI Impact: Spending Grows, Budgets Shift
Perhaps unsurprisingly, as most AI development and deployment occurs in the cloud, security for AI workloads emerged as a new investment priority this year. In fact, it ranks as the second-highest investment priority with 52% of respondents saying they are now prioritizing AI spending over other security needs. Although this move could raise concerns about the organizations’ ability to effectively secure both their AI assets and their broader cloud infrastructure, it signals a shift in how organizations allocate budgets in response to the accelerated adoption of AI.
Cloud Security Tops the Agenda, But Encryption Still Lags
As cloud adoption grows, so does the risk associated with it. This year, 54% of cloud data was classified as sensitive, up from 47% in 2024. And yet, many organizations are failing to implement the necessary data protection measures, with only 8% of organizations encrypting 80% or more of their cloud data. While the average has improved since last year, nearly half of all sensitive data stored in the cloud remains unencrypted.
Complexity is the Enemy of Security
While hybrid cloud environments - made up of on-premises infrastructure, multiple cloud providers, and a sprawl of SaaS applications – have provided organizations with significant productivity gains, they are a nightmare for security teams.
64% of security pros ranked cloud security among their top five security priorities, with 17% identifying it as their number one. Security for AI is the new kid on the block, ranking second overall, highlighting its growing importance. Despite sustained investment, cloud security remains a complex, persistent challenge:
- 55% of respondents say cloud security is more complex than on-premises, up from 51% last year
- Organizations now use an average of 2.1 public cloud providers. They now employ 85 SaaS applications, marking an 6% increase in the use of these apps from 2024
- 61% use five or more tools for data discovery and classification
- 57% use five or more enterprise key management systems, creating potential silos and misconfigurations
The problem? When tools multiply, controls vary across platforms, visibility erodes, and the risk of human error rises, especially when sensitive data is already under-protected.
Human Error, Insufficient Access Controls Reign Supreme
Despite external threats dominating headlines, human error remains the leading cause of breaches. This is a sobering revelation. Misconfigured storage, poor access controls, and unmanaged secrets can quickly escalate into major incidents in cloud environments.
Despite increased access-based attacks targeting cloud-based data, as reported by 68% of the survey respondents, organizations aren’t taking the steps necessary to mitigate this risk. While 65% of organizations now use MFA to protect cloud access, adoption is far from universal. Moreover, adoption of more advanced protections, like phishing-resistant authentication and privileged access management (PAM), remains limited. The combination of weak authentication, expanding cloud footprints, and insufficiently protected sensitive data presents a significant risk.
API Sprawl Widens the Attack Surface
Surges in AI integration and cloud-native development have necessitated rapid growth in API usage. So much so, in fact, that one in three enterprises now use 500 or more APIs, creating an unprecedentedly large attack surface for cybercriminals to target.
Despite this growth, organizations aren’t giving API-specific threats the attention they deserve. While 38% cited API attacks as a concern, code vulnerabilities (59%) and supply chain risks (48%) ranked as more pressing concerns. Considering APIs serve as a gateway not just to applications but to the sensitive data and logic behind them, this under-prioritization reflects a potentially devastating security blind spot.
Digital Sovereignty: The New Battleground for Trust
Digital sovereignty is one of the most pressing concerns of the cloud era. Regulations like GDPR, PDPA, and sector-specific mandates are tightening, putting increased pressure on organizations to maintain control over data location and access. However, it’s important not to view data sovereignty as a compliance checkbox but as a strategic enabler.
In the report, 42% of respondents identified encryption and key management as key enablers of digital sovereignty, regardless of where data physically resides. And the leading driver for sovereignty efforts (33%) is data and workload portability, highlighting a shift toward future-proofing in a multi-cloud world.
Cloud Security Must Evolve with the Enterprise
At Thales, we understand that cloud security is no longer just about defense; it’s about enablement. The findings from this year’s Cloud Security Study highlight the need for:
- Greater automation and simplification across cloud and hybrid environments
- Consolidated key management and encryption strategies
- Stronger identity and access protections, particularly for AI and API-centric workflows
- A shift toward security platforms that scale with infrastructure and adapt to new threats
With data at the core of digital transformation. Securing it, wherever it lives, must be a priority for modern organizations. Thales offers the tools and expertise to help organizations protect what matters most, accelerate cloud adoption, and harness the power of AI safely.
Download the full 2025 Cloud Security Study to explore all the insights, data, and recommendations for building a stronger, more resilient cloud security posture.