Insights From the 2025 Unit 42 Global Incident Response Report
The main tenet of cloud security is simple: Apply the same rigorous cybersecurity best practices you use elsewhere.
But that’s easier said than done. Since the emergence of cloud technology, organizations have been working to secure it to varying degrees of success. There are a few factors that make cloud security uniquely challenging:
- High level of reuse of cloud resources.
- Complexity of cloud-native technologies, like containers and serverless architectures.
- An expanding attack surface rife with misconfigurations.
Attackers are taking advantage. Our 2025 Global Incident Response Report (IR report) highlights this critical challenge. Nearly a third of the incidents Unit 42 investigated in 2024 were cloud-related. In 21% of cases, threat actors adversely impacted cloud environments and assets. Public data exposures and excessive permissions gave attackers, like Bling Libra and Muddled Libra, greater ability to cause damage.
Even with an abundance of cloud security tools in the market, organizations still struggle to apply cybersecurity best practices, like least privilege, zero trust and even patch hygiene. However, organizations can work toward closing the cloud security gap:
- Understand the cloud’s shared responsibility model.
- Achieve full visibility.
- Improve identity and access management (IAM).
- Create secure configurations.
- Automate detection and response processes.
Understanding the Shared Responsibility Model
Every major cloud service provider (CSP) follows a shared responsibility model. You secure your data, identities and configurations, while your provider secures the underlying hardware. The exact division of responsibility can depend on the type of service provided. If you create a virtual machine, you’re responsible for the infrastructure but not the physical hardware in the CSP’s data center. If you use the CSP’s managed services, the CSP will take greater responsibility for the digital infrastructure.
Defenders should ensure clarity on which aspects of cloud security fall to their organization.
Visibility Is the First Line of Defense
The cloud on its own isn’t extraordinarily complex. What is complex is the resource sprawl across multiple environments.
Frontend services connect to backend services over internal load balancers or service meshes. You may have private link endpoints, transit gateways, VPN tunnels or direct connections to hybrid environments that you do not know about.
A firewall rule or security group change may open unintended access. A dev team may deploy containers using base images with known vulnerabilities. Old storage buckets with outdated access controls may be left behind long after a project retires.
Organizations need the ability to zoom out and map connections to create a holistic, dynamic view.
Prioritization Creates Efficiency
Just because you can see it all doesn’t mean you can fix it all.
Context is everything, and a single alert hardly ever tells the whole story. A login from an unexpected location may come from a traveling executive or from a malicious account takeover. A Critical CVE may exist on a nonexposed test system and therefore doesn’t matter. Meanwhile a Medium alert on a domain controller could pose a more significant business risk.
Alert correlation and consolidation can unlock real-time, proactive defense.
Organizations should use AI and machine learning to assist with quickly gathering context, filtering noise and capturing the scope of a threat.
Identity Is the Perimeter
Our IR Report found that threat actors often used valid cloud accounts. They used them to further particular goals:
- Initial access: 13% of cases
- Privilege escalation: 8% of cases
- Persistence: 7% of cases
- Defense evasion: 7% of cases
Overpermissioned identities remain a top risk.
Organizations should follow best practices for IAM. These are Unit 42 recommendations:
- Start with the principle of least privilege.
- Audit and rotate credentials regularly.
- Use cloud audit logs to detect lateral movement.
- Avoid long-term IAM access keys, as they can easily be exploited by attackers if the credentials are leaked.
Secure Configurations Are Not Optional
While CSPs provide various default security configurations, they need additional work to meet best practices. Common missteps in configurations include exposed cloud storage, unpatched container images and publicly accessible APIs.
If left unchanged, these missteps can turn into massive breaches, costing your business its data, revenue and reputation.
CSP-specific tools can enforce baseline security standards, but few businesses are dealing with baseline attacks. Regularly scan and benchmark your security across frameworks like the Center for Internet Security (CIS) / Security Technical Implementation Guide (STIG) for a comprehensive picture of the environment.
Automate Detection and Response
Powered by automation, AI, as well as hacker toolkits, the speed of intrusion is now faster. In nearly 20% of Unit 42 investigations, data exfiltration took place within the first hour of compromise. Teams must become capable of responding at machine speed.
That’s tough to achieve in the cloud. Organizations operate a plethora of cloud-based SaaS tools, as well as multicloud environments. That presents a wide variety of log formats and APIs, and some third-party logs may be inaccessible. Identity misuse, like privilege escalation and lateral movement through API calls, is harder to spot than malware being deployed on a server. With DevOps teams spinning up and decommissioning resources, an incident may be indistinguishable from a misconfigured deployment without strong baselines.
Cloud Security Is a Continuous Discipline
Securing the business means securing the cloud. At Palo Alto Networks, we’ve designed our tools and services to provide exceptional defense that speaks to the highly dynamic realities of cloud environments.
Here’s how Palo Alto Networks can help you start securing your cloud:
- Cortex Cloud® offers full coverage agentless visibility across every cloud layer – infrastructure, compute, code identity, data, AI. This enables security teams to understand what's actively running in their cloud without disrupting business operations or slowing down application development. Cortex Cloud integrates cloud posture capabilities, like cloud security posture management, AI security posture management, Cloud Infrastructure Entitlement Management (CIEM), data security posture management and vulnerability management, into a single data platform that reduces risk noise and enables swift, scalable remediation.
- When integrated with a SOC platform, like Cortex XSIAM, Cortex Cloud brings cloud assets into the same unified visibility, control and response framework that protects everything else in your environment.
For a deep dive on the latest threat research and tips on how defenders can turn the table, download the full 2025 Global Incident Response Report.
FAQs for the Cloud Security Gap
- What makes cloud security uniquely challenging?
Cloud security is challenging due to the high level of reuse of cloud resources, the complexity of cloud-native technologies, like containers and serverless architectures, and an expanding attack surface rife with misconfigurations. - How are attackers exploiting cloud vulnerabilities?
Attackers are taking advantage of vulnerabilities, with nearly a third of incidents in 2024 being cloud-related. They use public data exposures and excessive permissions to impact cloud environments and assets, as highlighted in the 2025 Global Incident Response Report. Threat actors often use valid cloud accounts for many reasons: initial access, privilege escalation, persistence, defense evasion. - What steps can organizations take to close the cloud security gap?
Organizations can close the cloud security gap by understanding the cloud’s shared responsibility model to achieve full visibility across environments. They can also improve identity and access management (IAM) by following least privilege principles, creating secure configurations, and automating detection and response processes to match the speed of intrusions.