* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/category/cloud-security/)
* Closing the Cloud Securit...

# Closing the Cloud Security Gap

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2025%2F10%2Fclosing-the-cloud-security-gap%2F)  
[](https://twitter.com/share?text=Closing+the+Cloud+Security+Gap&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2025%2F10%2Fclosing-the-cloud-security-gap%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2025%2F10%2Fclosing-the-cloud-security-gap%2F&title=Closing+the+Cloud+Security+Gap&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2025/10/closing-the-cloud-security-gap/&ts=markdown)  
\[\](mailto:?subject=Closing the Cloud Security Gap)  
Link copied  
By [Margaret Kelley](https://www.paloaltonetworks.com/blog/author/margaret-kelley/?ts=markdown "Posts by Margaret Kelley")  
Oct 09, 2025  
6 minutes  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)  
[Unit 42](https://unit42-dev2.paloaltonetworks.com)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[Global Incident Response Report](https://www.paloaltonetworks.com/blog/tag/global-incident-response-report/?ts=markdown)

## Insights From the 2025 Unit 42 Global Incident Response Report

The main tenet of cloud security is simple: Apply the same rigorous cybersecurity best practices you use elsewhere.

But that's easier said than done. Since the emergence of cloud technology, organizations have been working to secure it to varying degrees of success. There are a few factors that make cloud security uniquely challenging:

* High level of reuse of cloud resources.
* Complexity of cloud-native technologies, like containers and serverless architectures.
* An expanding attack surface rife with misconfigurations.

Attackers are taking advantage. Our [2025 Global Incident Response Report](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report) (IR report) highlights this critical challenge. Nearly a third of the incidents Unit 42 investigated in 2024 were cloud-related. In 21% of cases, threat actors adversely impacted cloud environments and assets. Public data exposures and excessive permissions gave attackers, like [Bling Libra](https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/) and [Muddled Libra](https://unit42.paloaltonetworks.com/muddled-libra/), greater ability to cause damage.

Even with an abundance of cloud security tools in the market, organizations still struggle to apply cybersecurity best practices, like least privilege, zero trust and even patch hygiene. However, organizations can work toward closing the cloud security gap:

* Understand the cloud's shared responsibility model.
* Achieve full visibility.
* Improve identity and access management (IAM).
* Create secure configurations.
* Automate detection and response processes.

## **Understanding the Shared Responsibility Model**

Every major cloud service provider (CSP) follows a shared responsibility model. You secure your data, identities and configurations, while your provider secures the underlying hardware. The exact division of responsibility can depend on the type of service provided. If you create a virtual machine, you're responsible for the infrastructure but not the physical hardware in the CSP's data center. If you use the CSP's managed services, the CSP will take greater responsibility for the digital infrastructure.

Defenders should ensure clarity on which aspects of cloud security fall to their organization.

## **Visibility Is the First Line of Defense**

The cloud on its own isn't extraordinarily complex. What is complex is the resource sprawl across multiple environments.

Frontend services connect to backend services over internal load balancers or service meshes. You may have private link endpoints, transit gateways, VPN tunnels or direct connections to hybrid environments that you do not know about.

A firewall rule or security group change may open unintended access. A dev team may deploy containers using base images with known vulnerabilities. Old storage buckets with outdated access controls may be left behind long after a project retires.

Organizations need the ability to zoom out and map connections to create a holistic, dynamic view.

## **Prioritization Creates Efficiency**

Just because you can see it all doesn't mean you can fix it all.

Context is everything, and a single alert hardly ever tells the whole story. A login from an unexpected location may come from a traveling executive or from a malicious account takeover. A Critical CVE may exist on a nonexposed test system and therefore doesn't matter. Meanwhile a Medium alert on a domain controller could pose a more significant business risk.

Alert correlation and consolidation can unlock real-time, proactive defense.

Organizations should use AI and machine learning to assist with quickly gathering context, filtering noise and capturing the scope of a threat.

## **Identity Is the Perimeter**

Our IR Report found that threat actors often used valid cloud accounts. They used them to further particular goals:

* Initial access: 13% of cases
* Privilege escalation: 8% of cases
* Persistence: 7% of cases
* Defense evasion: 7% of cases

Overpermissioned identities remain a top risk.

Organizations should follow best practices for IAM. These are Unit 42 recommendations:

* Start with the principle of least privilege.
* Audit and rotate credentials regularly.
* Use cloud audit logs to detect lateral movement.
* [Avoid long-term IAM access keys](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/), as they can easily be exploited by attackers if the credentials are leaked.

## **Secure Configurations Are Not Optional**

While CSPs provide various default security configurations, they need additional work to meet best practices. Common missteps in configurations include exposed cloud storage, unpatched container images and publicly accessible APIs.

If left unchanged, these missteps can turn into massive breaches, costing your business its data, revenue and reputation.

CSP-specific tools can enforce baseline security standards, but few businesses are dealing with baseline attacks. Regularly scan and benchmark your security across frameworks like the Center for Internet Security ([CIS](https://www.cisecurity.org/controls/cis-controls-list)) / Security Technical Implementation Guide ([STIG](https://www.cyber.mil/stigs/)) for a comprehensive picture of the environment.

## **Automate Detection and Response**

Powered by automation, AI, as well as hacker toolkits, the speed of intrusion is now faster. In nearly 20% of Unit 42 investigations, data exfiltration took place within the first hour of compromise. Teams must become capable of responding at machine speed.

That's tough to achieve in the cloud. Organizations operate a plethora of cloud-based SaaS tools, as well as multicloud environments. That presents a wide variety of log formats and APIs, and some third-party logs may be inaccessible. Identity misuse, like privilege escalation and lateral movement through API calls, is harder to spot than malware being deployed on a server. With DevOps teams spinning up and decommissioning resources, an incident may be indistinguishable from a misconfigured deployment without strong baselines.

## **Cloud Security Is a Continuous Discipline**

Securing the business means securing the cloud. At Palo Alto Networks, we've designed our tools and services to provide exceptional defense that speaks to the highly dynamic realities of cloud environments.

Here's how Palo Alto Networks can help you [start securing your cloud](https://www.paloaltonetworks.com/resources/ebooks/six-key-requirements-of-multicloud-security):

* [Cortex Cloud®](https://www.paloaltonetworks.com/cortex/cloud) offers full coverage agentless visibility across every cloud layer -- infrastructure, compute, code identity, data, AI. This enables security teams to understand what's actively running in their cloud without disrupting business operations or slowing down application development. Cortex Cloud integrates cloud posture capabilities, like cloud security posture management, AI security posture management, Cloud Infrastructure Entitlement Management (CIEM), data security posture management and vulnerability management, into a single data platform that reduces risk noise and enables swift, scalable remediation.
* When integrated with a SOC platform, like Cortex XSIAM, Cortex Cloud brings cloud assets into the same unified visibility, control and response framework that protects everything else in your environment.

For a deep dive on the latest threat research and tips on how defenders can turn the table, download the full [2025 Global Incident Response Report](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report).

### FAQs for the Cloud Security Gap

* **What makes cloud security uniquely challenging?** Cloud security is challenging due to the high level of reuse of cloud resources, the complexity of cloud-native technologies, like containers and serverless architectures, and an expanding attack surface rife with misconfigurations.
* **How are attackers exploiting cloud vulnerabilities?** Attackers are taking advantage of vulnerabilities, with nearly a third of incidents in 2024 being cloud-related. They use public data exposures and excessive permissions to impact cloud environments and assets, as highlighted in the 2025 Global Incident Response Report. Threat actors often use valid cloud accounts for many reasons: initial access, privilege escalation, persistence, defense evasion.
* **What steps can organizations take to close the cloud security gap?** Organizations can close the cloud security gap by understanding the cloud's shared responsibility model to achieve full visibility across environments. They can also improve identity and access management (IAM) by following least privilege principles, creating secure configurations, and automating detection and response processes to match the speed of intrusions.

*** ** * ** ***

## Related Blogs

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Why Threat Actors Succeed](https://origin-researchcenter.paloaltonetworks.com/blog/2025/10/why-threat-actors-succeed/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Incident Response](https://www.paloaltonetworks.com/blog/category/incident-response/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### The Case for Multidomain Visibility](https://origin-researchcenter.paloaltonetworks.com/blog/2025/10/case-for-multidomain-visibility/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Social Engineering on the Rise --- New Unit 42 Report](https://origin-researchcenter.paloaltonetworks.com/blog/2025/07/social-engineering-rise-new-unit-42-report/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Threat Advisories - Advisories](https://www.paloaltonetworks.com/blog/category/threat-advisories-advisories/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### 2026 Unit 42 Global Incident Response Report --- Attacks Now 4x Faster](https://origin-researchcenter.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Palo Alto Networks Named a Leader in WW Incident Response Services](https://origin-researchcenter.paloaltonetworks.com/blog/2025/08/idc-unit-42-ir/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### ​​2025 Unit 42 Incident Response Report --- Attacks Shift to Disruption](https://origin-researchcenter.paloaltonetworks.com/blog/2025/02/incident-response-report-attacks-shift-disruption/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language