82% of data breaches now involve cloud assets. Yet most IT teams are still operating under a set of assumptions about cloud security that haven't been true for years.
Ask any IT leader if their cloud environment is secure, and you'll get a confident yes. Ask them to walk you through who owns security for each layer of their infrastructure — their SaaS applications, their IaaS environments, their third-party integrations, their employees' personal devices accessing corporate cloud apps — and the confidence often starts to waver.
That gap between assumed security and actual security is where breaches happen. And in 2025, they're happening at a pace that should make every IT and security leader uncomfortable. Cloud-related incidents now account for 82% of all enterprise data breaches, a number that has climbed steadily for five straight years. The problem isn't the cloud itself — it's how organizations think about securing it.
Here are the five gaps that consistently show up during cloud security audits — and what to actually do about each of them.
82%
of enterprise data breaches involve cloud environments or assets
99%
of cloud security failures through 2025 will be the customer's fault, not the provider's — Gartner
$4.1M
average cost of a cloud-related data breach in 2024, up 13% year over year
First, let's settle the shared responsibility debate
The root cause of most cloud security failures isn't sophisticated hacking. It's a misunderstanding — often a well-intentioned one — about who is actually responsible for what.
Every major cloud provider operates under a shared responsibility model. AWS, Azure, and Google Cloud are responsible for the security of the cloud — the physical infrastructure, the hypervisors, the global network. You are responsible for security in the cloud — your data, your identities, your applications, your configurations, your access controls.
That sounds straightforward. But in practice, the line blurs quickly. An S3 bucket left publicly accessible isn't Amazon's security failure — it's yours. A misconfigured Azure Active Directory tenant leaking credentials isn't Microsoft's problem — it's yours. A SaaS platform where employees are sharing login credentials because your IT team never enforced SSO? Still yours.
"The cloud provider secures the building. You're responsible for locking your own office, managing your own keys, and making sure your employees don't leave confidential files in the lobby."
The five gaps that put organizations at real risk
Gap 01
Misconfiguration — the leading cause of cloud breaches nobody wants to talk about
Cloud misconfiguration is responsible for the majority of cloud-related incidents — not sophisticated zero-day exploits, not nation-state actors. Simple mistakes. Storage buckets open to the public internet. Overly permissive IAM roles. Security groups that allow unrestricted inbound traffic. Default passwords that never got changed.
What makes this particularly painful is that these misconfigurations often sit undetected for months. A study by Palo Alto Networks found that the average organization has misconfigured cloud assets that have been exposed for over 25 days before detection. In that window, sensitive data — customer records, financial information, employee PII — can be exfiltrated quietly, with no alarms triggered.
What to do: Implement a Cloud Security Posture Management (CSPM) tool. These platforms continuously scan your cloud environment for misconfigurations, benchmark against CIS controls and frameworks like SOC 2 and PCI-DSS, and alert you in real time. Leading options include Wiz, Prisma Cloud, and Microsoft Defender for Cloud. Run a full configuration audit quarterly at minimum.
Gap 02
Shadow IT — the cloud sprawl your security team doesn't know exists
The average enterprise organization uses over 1,000 cloud applications. The average IT team knows about fewer than 100 of them. The rest? Shadow IT — SaaS tools, cloud storage services, and collaboration platforms that employees have adopted without formal approval, security review, or any visibility from the IT department.
Dropbox shared folders containing customer contracts. ChatGPT processing confidential business information. Free project management tools storing employee data. Each one of these represents a potential data exposure you have no controls around, no audit trail for, and no ability to shut down quickly if something goes wrong.
What to do: Deploy a Cloud Access Security Broker (CASB) to discover, monitor, and control cloud application usage across your organization. Combine this with clear acceptable use policies and a fast-track IT approval process for new tools — because shadow IT often exists because the official approval process takes too long.
Cloud environments introduce security responsibilities that traditional on-premise frameworks were never designed to handle
Gap 03
Identity sprawl — too many access points, too little oversight
Every SaaS application has its own identity store. Every cloud platform has its own IAM system. Every vendor integration creates new service accounts with associated permissions. Multiply this across a multi-cloud, multi-SaaS environment and you quickly have hundreds or thousands of identities — human and non-human — with various levels of access to your most sensitive systems.
The problem isn't just the volume. It's the lifecycle management. Former employees whose accounts weren't deprovisioned from every system. Service accounts with administrator-level permissions that were created for a project two years ago and never reviewed. Contractors with access that was never time-limited.
What to do: Implement Identity Governance and Administration (IGA) tooling to get a centralized view of all identities and their entitlements. Establish quarterly access reviews as a non-negotiable process. And enforce the principle of least privilege — not as a policy statement, but as a technically enforced reality.
Gap 04
Data classification — protecting everything equally means protecting nothing adequately
Most organizations that have moved to the cloud haven't gone through the foundational exercise of understanding what data they actually have, where it lives, and how sensitive it is. As a result, their cloud security posture treats a publicly available marketing PDF with the same level of concern as a database of customer payment information — or worse, treats the database with less scrutiny because it's "in the cloud" and therefore assumed to be secure.
Data that isn't classified can't be properly protected. You can't apply the right encryption policies, retention rules, or access controls to data you haven't categorized.
What to do: Conduct a cloud data inventory and implement a data classification framework (typically: public, internal, confidential, restricted). Modern Data Security Posture Management (DSPM) tools can automate much of this discovery and classification process across cloud environments.
Gap 05
Incident response — a plan built for on-premise doesn't work in the cloud
Many organizations' incident response playbooks were written when their infrastructure was physical and local. They assume you can physically isolate a compromised machine, pull a network cable, or rebuild a server from backup. Cloud environments don't work that way. Incidents move faster, scale differently, and require cloud-native response capabilities that most traditional IR plans don't account for.
In a cloud breach, minutes matter. Automated attacker tooling can enumerate permissions, establish persistence, and begin exfiltrating data within minutes of gaining initial access. If your response plan requires a manual escalation chain that takes two hours to kick off containment, the damage is already done.
What to do: Develop cloud-specific incident response runbooks for your most likely scenarios — compromised IAM credentials, publicly exposed storage, unauthorized API access. Invest in cloud detection and response (CDR) tooling and run tabletop exercises against cloud-specific attack scenarios at least twice a year.
The quick-win checklist before you tackle the bigger projects
Cloud security: immediate actions that reduce your risk today
Audit all cloud storage permissions — flag any bucket or blob with public access
Enable MFA on every cloud console account, especially those with admin rights
Review IAM roles and permissions — remove any that haven't been used in 90+ days
Run a cloud discovery scan to identify what SaaS applications your organization is actually using
Check for former employees who still have active cloud accounts in any system
Enable cloud-native logging (CloudTrail, Azure Monitor, GCP Audit Logs) if not already active
Verify encryption is enabled at rest and in transit for all critical data stores
Why "we use a reputable cloud provider" isn't a security strategy
AWS, Azure, and Google Cloud have world-class security teams and infrastructure. That's not the question. The question is what you've built on top of that infrastructure, who has access to it, how you've configured it, and what you're doing to monitor it.
A penthouse apartment in a building with excellent security still gets burglarized if the tenant leaves the door unlocked. The building's security is not a substitute for your own.
Cloud security in 2025 is less about the technology choices you make and more about the discipline with which you manage what you've deployed. Visibility, governance, and continuous monitoring are the difference between organizations that experience cloud incidents and those that don't.
Key Takeaway
Start with visibility — you can't secure what you can't see
The common thread across every cloud security gap is a lack of visibility. Organizations that have invested in cloud visibility tooling — CSPM, CASB, IGA, and centralized logging — consistently demonstrate better security outcomes than those relying on manual processes and assumed compliance. Before you invest in any new cloud security technology, ask: does this help me see what's actually happening in my environment?
The regulatory pressure is about to get much more intense
For organizations in regulated industries, cloud security gaps aren't just a technical risk — they're a compliance liability. The SEC's cybersecurity disclosure rules now require public companies to report material incidents within four business days. SOC 2 auditors are increasingly examining cloud configuration management as a core control area. And the EU's DORA regulation, fully in effect since January 2025, imposes strict cloud security and resilience requirements on financial services firms operating in Europe.
The direction of travel is clear: regulators are treating cloud security gaps as organizational failures, not technical incidents. The documentation you have (or don't have) about how you manage cloud security will matter enormously in an audit or a breach investigation.
Where to focus your next 90 days
If you're going to prioritize, here's the sequence that consistently delivers the best risk reduction for the investment: visibility first (deploy CSPM and enable comprehensive logging), then identity governance (get control of who has access to what), then data classification (understand what you're actually protecting), then shadow IT (discover and manage your true cloud footprint).
You don't fix cloud security in a quarter. But you can dramatically reduce your exposure in 90 days if you're intentional about where you start.
"The organizations that get cloud security right aren't necessarily the ones with the biggest budgets. They're the ones that stopped assuming and started verifying."
