Brian Robertson | Principal Product Marketing Manager
More About This Author >
Brian Robertson | Principal Product Marketing Manager
More About This Author >
Cloud adoption has fundamentally changed the way businesses operate, offering scalability, agility, and cost efficiencies that were unimaginable just a decade ago. But with this shift comes a necessary conversation: the cloud can also introduce complex security risks without the right care and practices in place.
Think sensitive and regulated data, intellectual property (IP), or code for your next winning product. When it comes to the future of your organization, business leaders must ask themselves:
- How are we making sure our critical data and IP are completely protected in the cloud?
- Who has access to the keys and protocols which are designed to protect our sensitive information?
- Are we consistently managing and securing keys across different cloud environments?
- Are we simply taking a “good enough” approach to cloud security without considering real risks?
If these are not questions that are already being discussed with teams, they need to be.
The Complexity of Multi-Cloud Security
The Thales 2025 Data Threat Report highlights that entities must rethink their approach to data security due to structural and geopolitical changes. In the AI era, the data businesses collect, store, process and share takes center stage. Although data breach rates fell to 45% in 2025 from 56% in 2021, cloud and application security continue to be the greatest security concerns for security leaders.
Cyberattacks are also becoming more sophisticated and tenacious. According to the Thales 2024 Cloud Security Study, 44% of organizations reported experiencing a cloud data breach, with 14% encountering such incidents within the past year. Among these breaches, 31% were attributed to misconfiguration or human error. Organizations that are not taking proactive steps will realize it’s only a matter of time before they become part of that statistic.
Who is Really Responsible for Cloud Security?
Too many business leaders assume that cloud security is their Cloud Service Provider’s (CSP’s) total responsibility, which is a dangerous misconception. In reality, the CSP and the customer share responsibility – or as Google put it, they share fate.
This is called the Shared Responsibility Model, and it defines clear boundaries:
- Cloud providers are responsible for securing the infrastructure—the physical data centers, networks, and hardware.
- The customer is responsible for securing their data, applications, and user access.
This means that although cloud-native security protocols, like encryption, help to protect the provider’s infrastructure, it does not necessarily protect the customer. If their data is compromised, it is they—not the cloud provider—who will fall foul of regulators and face the financial, legal, and reputational consequences.
Businesses need to ask themselves who in their organization is ensuring that the security strategy aligns with these realities.
The Security Challenges of Hybrid IT
Today’s IT environments are a mix of on-premises, hybrid, and multi-cloud services, creating previously unimagined levels of complexity. Security teams, finding themselves on the back foot, are being forced to bolt on security point products as an afterthought or look towards cloud-native security controls— that could mean relinquishing direct control over their access security.
Leveraging multiple clouds results in a fragmented approach that leads to siloed security solutions that are difficult to manage, gaping holes in protection across different platforms, and soaring costs and inefficiencies due to a lack of integration.
The truth is that as cloud environments only continue to grow, IT teams will continue to battle to manage multiple disconnected security tools. This is not a scalable approach—so entities need to consider what they are doing to consolidate and strengthen security across all cloud environments.
Cloud Security Risks: Are You Leaving the Door Open?
Many firms trust cloud-native controls, like encryption, to protect their data but do not consider where the encryption keys are stored. If they are managed within the same cloud ecosystem, this could put the business at risk. This is why:
- Single Point of Failure – If bad actors breach cloud tenant, they could get their hands on the business’s data, and the encryption keys to keep it safe.
- Regulatory Gaps – Compliance frameworks like GDPR, DORA, and PCI-DSS now require stricter key control. Data sovereignty requirements also mandate control over key management. Businesses must establish whether depending on a CSP meets these evolving regulations.
- Separation of Duties – After all, encryption can only be as secure as its key management process, so companies must understand who actually controls their encryption keys.
The 2025 Thales report indicates that there has been some good progress in protecting sensitive data:
- 68% of organizations report that they encrypt 40% or more of their sensitive cloud data.
- 57% of organizations use MFA to protect access to cloud assets, with 40% of them using phishing resistant methods like biometrics and passkeys.
However, there’s still room for improvement. The question businesses need to ask themselves is, what is their appetite for being at risk?
Are You Protecting the Lifeblood of Your Business?
A company’s intellectual property, business models, and proprietary data set it apart from the competition. But in a cloud-driven world, many organizations fail to consider how well they are truly protecting their value.
Firms should ask themselves:
- Are we in control of our competitive edge in the cloud?
- Could third parties gain access to our sensitive business data?
- What happens if our trade secrets are leaked or misused?
Breaches do not just impact data—they impact business reputation, revenue, and future success. In competitive markets, a single data breach can result in crippling fines, negative publicity, and lost customers. According to a global study by IBM the average cost of a data breach has risen to $4.88 million—a very sobering statistic.
Organizations invest fortunes in R&D and innovation and should think about whether it is worth risking losing it all due to poor cloud security.
The Potential Security Gaps in Cloud Provider Protections
Various cloud models require different security approaches—for instance, IaaS environments require security controls that won’t always translate well to SaaS deployments. One CSP’s security capabilities won’t necessarily apply to a different cloud vendor’s environment, and unfortunately, hybrid and multi-cloud environments create many more security gaps than companies realize.
When security is implemented in a siloed, reactive fashion, the result is inefficiencies and inconsistencies, high management overheads, uncontrollable costs, security blind spots, and loss of control. Organizations need to ensure that cloud security isn’t being implemented in a disjointed, piecemeal way.
Cloud Security Must Be Proactive, Not Reactive
According to the Thales 2025 Data Threat Report, 64% of organizations cite cloud security as their most pressing concern, since both SaaS data and cloud storage remain top attack targets. Losing sensitive data is the number one security concern for entities moving to the cloud. Data Loss Prevention (DLP) and encryption are top security controls, but how encryption keys are managed is of utmost importance.
Businesses need to establish who controls their encryption keys, where they are stored, and, importantly, can they retrieve them if needed—or are they locked in by a cloud provider?
The Thales DTR report echoes that sentiment; secrets management emerged as the top security challenge for DevSecOps engineers. According to Gartner, by 2027, more than 60% of organizations will adopt a centralized multicloud Key Management as a Service (KMaaS) to integrate with native CSP key management due to increased impacts of international data residency and privacy requirements.
Are You Asking the Right Questions?
Cloud security is not just an IT problem—it’s a business risk that impacts the entire organization. Businesses need to ask their teams:
- What are we doing to protect our most valuable data and IP in the cloud?
- How can I improve my security across all clouds while complementing cloud-native security?
- What is the best approach to deploying encryption and key management?
- Who actually controls our encryption keys?
- How are we ensuring compliance with evolving regulations?
The businesses that proactively address these questions will not only protect their data but also secure their competitive advantage for years to come. The question, is are you one of them?
Next steps