Cloud services, infrastructure and applications are the primary subjects of cyberattacks, amidst the increasing presence of cloud environments in organisations, according to the 2024 Thales Cloud Security Study.

“The scalability and flexibility that the cloud offers is highly compelling for organisations, so it’s no surprise it is central to their security strategies,” Thales’s senior vice president for cloud protection and licensing activities Sebastien Cano said in a statement. “However, as the cloud attack surface expands, organisations must get a firm grasp on the data they have stored in the cloud, the keys they’re using to encrypt it, and the ability to have complete visibility into who is accessing the data and how it is being used.”

“It is vital to solve these challenges now, especially as data sovereignty and privacy have emerged as top concerns in this year’s research,” Cano said.

The annual assessment of cloud security threats and trends details that among the targeted cloud resources, 31% are SaaS applications, 30% are cloud storage and 26% are cloud management infrastructure. 

“As a result, protecting cloud environments has risen at the top security ahead of all other security disciplines,” the report says.

The Thales study is based on surveys with almost 3000 IT and security professionals across 18 countries in 37 industries. 

Human errors are an important factor in security breaches

The impact of human errors, misconfiguration, or mistaken interactions with the cloud – including unintended actions – are cited as “leading contributors” to breaches and other cyber incidents. 

“Infrastructure and technology aren’t the only aspects of cloud environments exposed to risk. Technology, after all, exists to serve people — which means that the interaction of people with technology, and the degree to which human action can compromise technology, is a factor in cybersecurity,” the report says. 

And this observation is all the more relevant when considering data breaches in the cloud, the study shows. Among the respondents who reported a cloud data breach, 31% said the “root cause” was human error. 

Other highly ranking factors include external attackers (cyber criminals, hacktivists and nation-state actors) as well as malicious insiders.

Focus spending on modern cloud security

The report states that among respondents, the top category for security spending is investing in cloud security.

While the study emphasises the importance of this focus, it also notes that spendings are often used in ways that are not particularly compatible with modern cloud security. “While 24% of respondents prioritise cloud security measures as effective, other, more traditional (and arguably better-known) categories such as workforce IAM (30%) and endpoint security (31%) were chosen more frequently,” the report says.

“Modern cloud security tools and techniques are increasingly implemented by developer and operator teams that often work together as ‘DevOps’ organisations. Solutions such as secrets management and authorisation are directly used by developers with potentially less oversight by central security teams.”

Encrypt cloud data

One of the main concerns expressed by Thales’s study is the consistently low rate of encrypted sensitive data in the cloud. The report says that although 47% of cloud data is “sensitive”, encryption rates “remain stubbornly low with less than 10% of enterprises claiming they have encrypted 80% or more of their cloud data.”

According to Thales, protecting data stored on the cloud – and especially sensitive data – is an issue that concerns even the most highly secured and protected environments. Considering the growing scale and diversity of cloud resources – but also of cyberattacks – “if organisations maintain the same levels and types of control, they are effectively falling behind,” the report says.

“The complexity of encryption management may be a contributing factor,” according to the findings. “As new cloud environments are added, organisations must be able to centralise their key management capabilities rather than create new ones that must be managed independently. This level of complexity also raises the risk of human error.”