Cloud security explained: Solving misconfigurations, visibility gaps and zero trust challenges

Cloud security is a defining challenge for organizations everywhere. No longer just a technical matter, it has become a boardroom issue that affects survival, resilience and growth.

In this edited Q&A, NTT DATA’s Patrick Schraut, Senior Vice President, Cybersecurity, and Renjith Philip, Global Cloud Security Lead, share their first-hand experiences with clients across industries. They discuss why misconfigurations and visibility gaps are so dangerous, what zero trust really means in hybrid environments, how to prepare for geopolitical risk and why cloud security is as much about enabling innovation as it is about protecting an organization.

What makes cloud security such a hot topic right now?

Every organization now uses the cloud in some way, whether or not they realize it. Some have fully embraced public cloud platforms, while others consume cloud services indirectly through third-party applications and software-as-a-service offerings. This ubiquity makes the cloud a primary target for attackers, who see it as the richest concentration of data and services.

The challenge is that while attack methods have evolved, many organizations are still relying on traditional, on-premises security processes and technologies. This creates a mismatch between how services are deployed and how they are defended. The result is an environment that is both business-critical and highly exposed. It’s why cloud security has risen to the top of every CISO’s agenda, where it will remain for the foreseeable future.

• ALSO READ → Proactive measures, secure outcomes: Make your organization cyber resilient

In the shared responsibility model, who ultimately owns cloud security?

There is sometimes a misconception that moving to the cloud means the provider takes on all aspects of security. In reality, the model is shared. Cloud providers secure the infrastructure — the data centers, the hardware and the base platform — but organizations remain responsible for how they configure and use the services.

This responsibility covers applications, user identities, access permissions and, most importantly, data. The provider protects the foundation, but the customer protects the way they build on top of it. Understanding this division of responsibility is fundamental. Organizations that neglect their side of this model risk leaving critical workloads unprotected, often without realizing it until it is too late.

What are the biggest pain points that organizations face in cloud security?

The two challenges that come up most frequently are misconfigurations and visibility gaps.

The cloud makes it extremely easy to spin up new resources (sometimes in seconds), bypassing the slow, structured processes that were common in traditional IT. This speed enables innovation but also creates blind spots for security teams. If a service is created without the security team’s knowledge, it cannot be monitored, hardened or patched. Attackers exploit these hidden services aggressively.

In parallel, misconfigurations are the single most common cause of breaches in the cloud. Something as simple as leaving a storage bucket public or misconfiguring an access-control list can lead to massive data exposure.

What causes cloud misconfigurations in practice?

Ease of use is both the cloud’s greatest advantage and its biggest weakness. A developer or engineer can provision a new server or database with just a few clicks. But if they are not trained in security, they may inadvertently create risky setups. For example, they might connect both internal and external interfaces on a server, creating an accidental bridge into sensitive systems.

In the past, deploying a service required multiple teams — procurement, system administrators and security — to sign off at each stage. That provided natural guardrails. Today, those steps can be bypassed entirely, which is why organizations so often see misconfigurations. The solution lies in a mix of training, clear policies and, above all, automated checks that catch errors before they go live.

How can teams quickly regain visibility across accounts and services?

This is where cloud security posture management (CSPM) tools are invaluable. Instead of relying on manual asset inventories, CSPM connects directly to your cloud accounts across providers such as Amazon Web Services, Microsoft Azure and Google Cloud. Within a few hours, you can get a complete, agentless overview of your estate.

This overview includes the types of services running, how they communicate, what ports are open and where known vulnerabilities exist. Some CSPM platforms also integrate remediation guidance or automation, helping you close gaps faster. For any security team struggling with “shadow IT” in the cloud, CSPM provides the foundation for visibility that they need.

What does zero trust security look like in a hybrid cloud model?

Zero trust security has become one of the most talked-about security models, but it is often misunderstood. Importantly, it’s not a product you can buy. It is a framework and a philosophy.

Traditional perimeter security was like a bank vault: Once you got inside, you often had free access to everything. Zero trust flips this assumption. Instead of trusting anyone inside the perimeter, it demands continuous validation at every stage — whether the request comes from a user, a device, a workload or an application. In hybrid environments that span on-premises data centers and multiple public clouds, zero trust provides the consistent, principle-driven approach that organizations need.

Can you give a simple explanation of zero trust?

At its core, zero trust can be summed up in one phrase: Trust nothing and no one, and verify everything. Every user must authenticate, and every device must be checked, every connection inspected and every access request validated against the principle of least privilege.

The model recognizes that breaches are inevitable. What matters is that when an attacker gains a foothold, they cannot move freely or escalate access. Zero trust makes lateral movement much harder, confining threats and protecting sensitive data even if one layer is breached.

Where should organizations start to reduce cloud risk fast?

The quickest win is visibility. You cannot protect what you cannot see. Mapping all assets and services across your environments is step one. Once you have that, the next priority is automation. Manual checks and responses are too slow for the speed of cloud.

Automated policy enforcement and remediation reduce the time between discovering a problem and fixing it. For example, an automated rule could close a public port or quarantine a misconfigured resource without waiting for human intervention. This combination — visibility plus automation — delivers immediate risk reduction and greater resilience.

What’s the best way to approach automation and a secure cloud posture?

Organizations often migrate to the cloud only once, then live with that design for years. Their initial choices set the tone for long-term security. Trying to build everything in-house can be risky if the team lacks experience.

The better approach is to combine internal expertise with external specialists who have done this many times before. Managed security service providers, for example, can help set up guardrails, enforce best practices and monitor continuously. The goal should be to reduce the mean time to detect threats and the mean time to restore services after an incident. Automation accelerates both, so that security keeps pace with your business.

How can organizations prepare for cloud disruptions caused by geopolitical events?

This is one of the hardest questions our clients raise today. If the concern were hardware or software failure, the answer would be simple: Use multiple cloud providers. But geopolitical risk often affects all the major hyperscalers in a region, which makes switching providers less effective.

The pragmatic response is to treat geopolitics as a risk to be managed. This means maintaining contingency plans, monitoring geopolitical developments closely and considering whether critical workloads should be kept on-premises or mirrored to smaller, local providers — even if those providers cannot match the functionality of the hyperscalers. It is about resilience and risk tolerance, rather than perfect solutions.

What does digital sovereignty mean in practice?

Many organizations assume that once data is in the cloud, it is automatically secure and backed up. However, most services do not include backups by default. Ensuring data availability remains the customer’s responsibility.

Digital sovereignty also involves legal and regulatory considerations. Data may be stored outside your jurisdiction, triggering compliance obligations. To address this, organizations should encrypt sensitive data and use bring-your-own-key (BYOK) models, so they — not the cloud provider — control access. Taken together, backups and BYOK encryption ensure you remain the true owner of your data.

• ALSO READ → Rearchitecting for the future: Why private and sovereign clouds lead in the AI era

How should teams design for portability and flexibility?

One of the cloud’s greatest benefits is its flexibility, but that is only true if you design for portability. If workloads are built to run only on a single provider’s services, you lose the ability to adapt.

Design applications so they can be redeployed elsewhere — whether to another cloud provider or back on-premises — without wholesale re-engineering. Open standards, containerization and modular architectures support this goal. Portability keeps your options open in the face of changing costs, risks or compliance requirements.

How can we simplify and consolidate the cloud security stack?

Cloud security tooling has proliferated. Many organizations now run multiple overlapping platforms: CSPM for visibility, cloud-native application protection platforms (CNAPP) for integrated defenses, and cloud infrastructure entitlement management (CIEM) for identity and least-privilege enforcement. Tool sprawl creates complexity and gaps.

Some vendors offer integrated suites, while others are best-of-breed in one area. The best strategy is to consolidate where possible, align tools with actual risks and use managed partners to cover gaps. Simplification reduces both cost and operational friction, making it easier for security teams to act decisively.

What are the biggest myths or mistakes you see in cloud security?

Two myths stand out again and again: First, that the cloud is secure by default, and second, that on-premises environments are inherently more secure. Both are misleading. Security is not a property of location — it depends on how systems are configured and operated.

Misconfigurations remain the single most common mistake. They are also the easiest to overlook, precisely because they are simple human errors. But their impact can be catastrophic, exposing sensitive data or opening doors to attackers. Correcting this myth is one of the most important awareness tasks for security leaders.

Why does cloud security matter to the business — and to innovation?

Cloud security is no longer just about ticking compliance boxes. Today, everything runs in the cloud: systems, data, even AI workloads. A major breach can take a business offline or erode customer trust beyond repair. In that sense, security is survival.

But security is also an enabler. Strong controls allow organizations to release new applications faster, adopt emerging technologies with confidence and enter markets securely. Security safeguards revenue and reputation while unlocking the agility that cloud is meant to deliver. It is not a brake on progress; rather, it is the seatbelt that makes progress safe.

• ALSO READ → The AI privacy dilemma: How to balance progress and protection

Enable your business with a secure foundation

Cloud security is not optional — it lays the foundation for resilience and growth. You need visibility, automation and a zero trust mindset to stay ahead of attackers while preparing for risks that range from misconfigurations to geopolitics and embracing digital sovereignty to retain control of your data.

Most importantly, you must recognize security as both a survival imperative and a business enabler. This is what secure business enablement means in practice: Protecting your enterprise while empowering it to innovate.

• ALSO READ → Triple your impact: Modernize cloud, security and network simultaneously