Building cyber-security in the cloud

Nicholas Lynch at NetSPI argues that strong cloud defence starts with an attacker’s logic

 

Cloud adoption has become almost universal, with more than 94% of organisations relying on it to power everyday operations. Yet, as businesses embrace its benefits - scalability, cost efficiency, and agility - the cloud also introduces a host of new potential security vulnerabilities and challenges that legacy defences are not built to address.

 

Attackers may still try brute-force tactics or attack perimeter firewalls, but in cloud environments, their focus has shifted. They now take advantage of trusted connections, manipulate neglected APIs, and disguise their actions within legitimate activity. 

 

As identity, automation, and large-scale processes run through every layer of the cloud, even the smallest weakness can remain hidden until it causes major damage. Carrying out targeted penetration testing from the start is one of the most effective ways to surface these blind spots before adversaries do. 

 

The mistake many organisations make is framing cloud risk in outdated terms, fixating on misconfiguration or latching onto buzzwords like “zero trust”, while overlooking how attackers truly behave. Effective cloud defence means thinking like an adversary, not just applying patches to known issues.  

 

Cloud attack paths

Attackers are quickly adjusting to the cloud’s complexities. In 2024, reported cloud intrusions increased by 26% compared to 2023, highlighting how adversaries are refining their techniques to target cloud services. These aren’t simply reworked versions of old attack methods; rather, attackers are exploiting weaknesses that are especially prevalent in cloud environments, such as exposed APIs, shaky identity access controls and gaps in monitoring.

 

Unlike traditional hacks, cloud attacks ripple across services, exploiting the cloud’s own mechanisms in unintended ways. A prime example is the Midnight Blizzard breach of Microsoft. Hackers tampered with OAuth applications, tools that let users share data without handing over passwords, creating fake versions with sweeping access rights.

 

Even after changing passwords, the attackers maintained access to sensitive corporate emails. This breach hammered home a crucial point that attackers are getting better at using the cloud’s tools against it, slipping under the radar with legitimate authentication methods.

 

Groups like Scattered Spider, long associated with ransomware, are now cloud specialists. In 2023, they accounted for one in three cloud-targeted cases, showing how adversaries are refining their craft and abusing cloud services to maximise reach and impact.

 

To defend against cloud-savvy threat actors, organisations must study their motives, strategies and techniques as closely as the attackers study the cloud.

 

When attackers log in, not break in

In the cloud era, identity has become the perimeter. Attackers are less concerned with forcing entry and more intent on logging in with stolen credentials. Once inside, they can move quietly between services, escalate privileges and maintain access for weeks, all while appearing to be legitimate users. 

 

Identity compromise is difficult to detect precisely because it looks normal. Stolen credentials, tokens or API keys rarely raise alarms and ephemeral credentials that refresh automatically make malicious use harder to trace. Over-permissive roles mean a single compromised account may unlock far more access than intended, while non-human identities such as API keys often lack multi-factor authentication entirely.

 

Attackers can also utilise alternate authentication paths, from rogue OAuth apps to device code flows, allowing them to persist even after a password reset.

 

The cloud needs more than box-ticking 

Regulations often trail behind real-world threats, meaning organisations that focus solely on “getting ahead” of compliance risk are overlooking real security gaps. Knowing the regulations you’re up against is important, but being compliant doesn’t automatically mean being secure, especially in a cloud environment.

 

Some might assume that built-in compliance tools provide protection. At best, they tick regulatory boxes. At worst, they create a false sense of safety. Too often, organisations attempt to replicate old, on-premise security models in the cloud, an approach that simply doesn’t fit. Traditional defences like firewalls and static access controls struggle to keep pace with the cloud’s dynamic, distributed architecture.

 

Similarly, a “lift and shift” migration, moving applications into the cloud without re-architecting them, can leave systems riddled with overly generous permissions and missing critical monitoring. The result is that in the rush to deploy, security becomes an afterthought, leaving vulnerabilities that attackers can exploit.

 

Building cloud security the right way

Securing cloud environments requires a proactive, cloud-native mindset. Cloud services generate massive amounts of telemetry data, but without proper collection and monitoring, this data is useless. Enabling native logging and tying it into a central monitoring system ensures suspicious behaviour can be spotted before it spirals into a breach.

 

Since identity is now the perimeter, it’s critical to secure it properly. Multi-factor authentication should be mandatory, especially for administrators. Centralising identity management with single sign-on or federated services helps ensure consistency across platforms. Sticking to standards like OAuth or SAML in multi-cloud environments simplifies user management and reduces risk.

 

Regular audits are equally vital. Cloud Security Posture Management (CSPM) tools are invaluable here, continuously scanning for misconfigurations, over-permissioned roles, and exposed assets. Regularly reviewing access controls, network settings, and storage permissions can significantly reduce your attack surface.

 

Finally, penetration testing offers cloud-focused assessments that explore vulnerabilities unique to the environment, such as privilege escalation paths, misused APIs and overly permissive services. When performed correctly, these exercises expose hidden weaknesses before real attackers find them.

 

Staying ahead 

Cloud adoption has redefined business operations, but adversaries are evolving in step. Groups like Midnight Blizzard and Scattered Spider illustrate how threat actors are refining their methods at pace, often outpacing traditional defensive measures. 

 

Defending against these threats requires more than repurposing old security models. Leaders need to build strategies grounded in attacker behaviour, treating identity as the frontline, preparing for cloud-specific attack paths and putting safeguards to the test through frequent, cloud-aware penetration exercises. When threaded into both design and day-to-day operations, penetration testing demonstrated whether protections are truly effective against the tactics attackers are using right now.   

 

---

 

Nicholas Lynch is Principal Security Consultant at NetSPI

 

Main image courtesy of iStockPhoto.com and Vitalii Gulenok