Cloud security hampered by complexity, skills gap & weak identity
New research from Tenable and the Cloud Security Alliance indicates ongoing challenges in basic cloud security practices among organisations globally.
The State of Cloud and AI Security 2025 report is based on a survey of more than 1,000 IT and security professionals around the world, including respondents in Australia. It examines how organisations are adjusting their strategies to address risk in multi-layered cloud and artificial intelligence-driven environments.
Cloud complexity
The report highlights the increasing complexity of the current IT landscape. According to the findings, 82% of organisations now operate hybrid environments, while 63% use multiple cloud service providers. This trend towards multi-cloud and hybrid deployment requires unified security visibility and the consistent application of security policies. Despite this, many organisations lack comprehensive controls, resulting in fragmented security and areas that may be vulnerable to attack.
This fragmentation not only increases management challenges, but it also creates blind spots that can be exploited by threat actors. The report notes that managing this complexity is a persistent issue for organisations as their adoption of cloud services accelerates.
Identity as a risk area
Identity management has emerged as the most pressing area of concern. The research found that 59% of organisations identified insecure identities and permissions as their greatest cloud risk. However, reported incidents suggest that many fail to address or mitigate this risk effectively. Data covering breaches shows that the primary causes are related to poor identity management: excessive permissions account for 31%, inconsistent access controls 27%, and weak identity hygiene 27% of breach incidents analysed.
These figures suggest a broader problem with how identity is governed in the enterprise. Rather than isolated technical errors, the issue appears to be a systemic problem stemming from weak governance structures and insufficient alignment on security practices related to identity and access management.
Expertise gap
The report also sheds light on a significant expertise gap within organisations. Thirty-four percent of those surveyed stated that a lack of expertise is the single largest challenge they face in managing cloud security. This perceived skills shortage leads to further problems, including unclear security strategies - reported by 39% - and inadequate executive understanding of cloud security risks, which nearly a third (31%) of respondents identified as an issue.
With insufficient expertise, organisations are less able to implement robust security policies and develop a strong governance framework. The lack of alignment with leadership, as highlighted in the findings, can restrict access to budget and resources needed to adequately protect business operations.
Views from Tenable
"Identity has become the cloud's weakest link, but it's being managed with inconsistent controls and dangerous permissions," said Liat Hayun, VP of Product and Research at Tenable. "This isn't just a technical oversight; it's a systemic governance failure, compounded by a persistent expertise gap that stalls progress from the server room to the boardroom. Until organisations get back to basics, achieving unified visibility and enforcing rigorous identity governance, they will continue to be outmanoeuvred by attackers."
According to the report, until organisations can implement unified visibility across their cloud environments and enforce more rigorous identity governance, many will remain vulnerable to increasingly sophisticated cyber threats. The research suggests that bridging the skills gap and fostering greater alignment between technical teams and business leadership are key to improving cloud security outcomes.