Skip to main content Tech Radar Pro Tech Radar Gaming Tech Radar Pro TechRadar the business technology experts Search TechRadar View Profile België (Nederlands) Deutschland North America US (English) Australasia New Zealand Expert Insights Website builders Web hosting World Password Day Best website builder Best web hosting Best office chairs Expert Insights How to defend your cloud environments: 7 major rules Andrey Leskin A guide to securing cloud environments effectively When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. (Image credit: Shutterstock) In 2024, the adoption of cloud computing by organizations has reached remarkable levels, with around 94% of companies now utilizing cloud-based services, according to Rightscale’s report. However, cloud solutions bring significant security challenges, as they rely on shared resources and connectivity, making them susceptible to data breaches, misconfigurations, and account hijacking. Let’s explore essential rules that can help minimize these risks and protect cloud environments effectively. Cloud infrastructure offers organizations an average savings of 40% on physical space and reduced operational expenses. Furthermore, these environments enable faster time-to-market and improve overall business agility. Over half of organizations have stated that cloud adoption has accelerated their product and service delivery, allowing them to respond more promptly to customer needs. Security is another major reason for businesses to migrate to the cloud. Approximately 60% of business executives believe that cloud computing enhances their security posture, particularly as it enables automated updates and reduces the risks of human error. You may like How the hybrid work boom reshapes corporate security 5 questions for SMBs to reveal hidden security threats The digital bedrock of a business holds the key to innovation with intelligence Andrey Leskin Social Links Navigation CTO of Qrator Labs. The common threats to cloud environments Despite all the advantages, there are still some risks associated with cloud computing. For instance, last year, MITRE, a U.S.-based non-profit organization renowned for its work in technology and defense research, experienced a significant cloud security incident. In April 2024, attackers exploited two zero-day vulnerabilities in Ivanti’s Connect Secure VPN, gaining unauthorized access to MITRE’s Networked Experimentation, Research, and Virtualization Environment platform. This breach resulted in the exposure of sensitive research data, including technical findings, development methodologies, and simulation results related to cybersecurity frameworks MITRE ATT&CK® and CALDER, which are widely used by government agencies and private organizations. It is unlikely that national security data was directly compromised. Subsequent investigation revealed that the incident was perpetrated by a foreign nation-state threat actor. The successful breach was attributed to unpatched software and compromised devices, which provided the attackers with unauthorized access to sensitive areas within the cloud environment. Another major cloud security incident in 2024 involved the popular project management tool Trello. In January, the company experienced a data breach, compromising 15 million user accounts. Hackers utilized a public API to connect an existing database of email addresses with Trello account information, which included usernames, full names, and other details. Overall, according to the 2024 Cloud security report by Check Point Software, 61% of organizations experienced at least one security incident related to public cloud use in 2024 - a significant increase compared to the 24% figure in 2023. Out of these incidents, 21% resulted in data breaches. Among other common vulnerabilities in cloud environments are misconfigurations, which can lead to the exposure of sensitive data if not promptly addressed, and insider threats, where employees or contractors inadvertently or maliciously compromise cloud security. Additionally, companies often struggle to keep pace with the rapid proliferation of cloud solutions, and a lack of staff skills to operate in the cloud environment becomes a significant security threat in itself. Ways to protect your cloud Luckily, businesses that rely heavily on cloud infrastructure can avoid such devastating attacks. The key is to follow seven essential rules. Each of them provides a specific approach to securing a critical aspect of the cloud environment, from access management and data encryption to monitoring and employee training. They complement each other and contribute to a well-rounded cloud security posture. Rule 1: continuously monitor and log all cloud activities In 2024, according to SailPoint, around 83% of organizations reported that continuous monitoring helped them catch security incidents early, preventing potential data leaks and system compromises​. Effective network monitoring helps identify threats such as unauthorized access, data exfiltration, and misconfigurations that might expose sensitive data. By continuously tracking activities and analyzing logs, organizations can quickly pinpoint unusual behaviors, such as access attempts from unknown locations, unusual data transfers, or unauthorized use of privileged accounts. Rule 2: implement strong identity and access management (IAM) policies Effective IAM ensures that only authorized users have access to specific cloud resources. A key component of these policies is multi-factor authentication, which requires users to verify their identity through two or more authentication methods, such as a password and a one-time code sent to a mobile device. This ensures that potential attackers would need more than just a password to gain entry. Role-based access control (RBAC) is another critical IAM strategy, assigning permissions based on user roles within an organization. For example, an employee in the finance department might have access to financial records but be restricted from viewing IT infrastructure details. With RBAC, users are given the minimum level of access required for their roles, significantly reducing the risk of misuse of sensitive data. Rule 3: encrypt data in transit and at rest It's important to encrypt data both when it's being transmitted (in transit) and when it's stored (at rest). This ensures that even if attackers intercept or access the data, it remains unreadable without the correct decryption keys. To implement encryption effectively in your cloud environment, you should use both transport layer encryption (like transport layer security, TLS) for data in transit and disk encryption for data at rest. Many cloud providers offer built-in encryption tools that facilitate these practices. Rule 4: regularly update and patch cloud resources Cloud environments, like any other IT infrastructure, are susceptible to vulnerabilities as software ages or new exploits are discovered. When systems remain unpatched, they become easy targets for attackers who often scan for outdated software and exploit known vulnerabilities. A recent study found that approximately 60% of cloud breaches could be attributed to unpatched or misconfigured systems. Regular updates help protect cloud resources from these risks by addressing known issues before attackers can take advantage of them. Cloud platforms typically make it easy to set up automated backups for persistent resources like databases or virtual machines. These backups ensure that, even in the event of a major attack or human error, data can be recovered without significant disruption. Rule 5: use data retention policies To protect against malicious attacks, such as ransomware, it’s essential to establish policies that prevent the immediate deletion of resources in the cloud. Many cloud providers offer this feature, allowing you to configure a delay period. This ensures that even if an attacker gains access to your account and attempts to delete critical resources, those resources won't be removed right away. For instance, with a 30-day delay, a resource marked for deletion would remain recoverable for that entire period. This delay provides two key advantages: it allows time to detect and respond to unauthorized actions, and it gives you the opportunity to restore data before it is permanently lost. If your cloud provider does not offer this safeguard, it may be worth reconsidering whether they meet your security needs. Rule 6: keep your costs down In the event of a DDoS attack, cloud infrastructure can manage the surge in traffic by automatically scaling resources. However, this scaling can rapidly increase costs, potentially putting a strain on the company’s finances. To avoid these unexpected expenses, ensure that your cloud provider offers strong DDoS protection and mitigation options. These measures can help absorb and filter attack traffic, minimizing the impact without leading to excessive resource scaling. If your provider’s built-in protections are inadequate, consider using third-party DDoS mitigation tools. This approach will help safeguard both your systems and your budget during an attack. Rule 7: train employees on cloud security awareness According to the Ponemon Institute, 82% of data breaches are caused by staff mistakes, such as clicking on phishing links, using weak passwords, or falling for social engineering attacks. To prevent these issues, it's essential to invest in ongoing, thorough security training programs. In fact, companies with comprehensive training programs can save an average of $2.66 million per breach. What these programs might include? Phishing simulations that help employees identify suspicious emails and avoid disclosing sensitive information. Additionally, providing cloud-specific security training, which focuses on secure data handling, password management, and understanding cloud-specific threats, ensures that employees are well-prepared to handle security challenges effectively. We've compiled a list of the best identity management software. This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. Andrey Leskin Social Links Navigation CTO of Qrator Labs. You must confirm your public display name before commenting Please logout and then login again, you will then be prompted to enter your display name. How the hybrid work boom reshapes corporate security 5 questions for SMBs to reveal hidden security threats The digital bedrock of a business holds the key to innovation with intelligence Building a resilient workforce security strategy Sovereign Cloud: redefining the future of secure digital innovation What businesses need for modern third-party risk management Latest in Pro US DOD wants right-to-repair provisions in Army contracts to access tools, software, and technical data without IP constraints I went hands-on with the world’s smartest rugby ball, but did it make me a better player? Hacker pleads guilty to illegally accessing Disney Slack channels and stealing huge tranche of data Three massive UK retailers have been hit by cyber attacks this week – so what's going on? Microsoft is making all new accounts passwordless by default How businesses can take advantage of the AI agent boom Latest in Opinion I tested two mid-range Dolby Atmos soundbars side-by-side, and the battle for your money has never been more competitive MacBooks are now legitimate gaming machines – and the future looks promising How businesses can take advantage of the AI agent boom From novelty to normality: how AI is defining work in 2025 How DeepSeek's open source AI strategy is shaping the future of model distillation Embracing the ‘Emotional Hype Cycle’ allows enterprises to adopt Gen AI responsibly LATEST ARTICLES iStorage's PIN-authenticated 26TB desktop drive is built for companies who fear data breaches I went hands-on with the world’s smartest rugby ball, but did it make me a better player? This odd-looking hair dryer is cheap and powerful, but ultimately disappointing Lenovo's rival to Apple's Mac Studio gets one of Intel's fastest CPUs and a dedicated GeForce RTX 5060 TI GPU After cheap 5K monitors, JapanNext just launched an almost-square monitor with more than 7 million pixels TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site. Contact Future's experts Terms and conditions Privacy policy Cookies policy Advertise with us Web notifications Accessibility Statement Future US, Inc. Full 7th Floor, 130 West 42nd Street, Please login or signup to comment Please wait...