SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Hybrid cloud network stolen digital identity glowing key figure
#
Malware
#
Ransomware
#
Hybrid Cloud

Google report warns identity is weak link in cloud

Wed, 11th Mar 2026
Author image
By Sean Mitchell, Publisher

Cyber attackers are shifting how they target cloud environments, increasingly focusing on identity compromise, misconfigurations, and the abuse of artificial intelligence services, according to a new Google Cloud report.

The Cloud Threat Horizons Report H1 2026 was produced by Google Cloud's Office of the CISO with input from the Google Threat Intelligence Group, Mandiant consulting teams, and other security researchers. It outlines how threat actors are adapting as more organisations move applications and data into public cloud services.

A central finding is a move away from traditional malware as the main route into cloud systems. Instead, attackers are relying on legitimate credentials, cloud-native tooling, and standard interfaces such as APIs. This approach reduces obvious indicators for defenders and can make suspicious activity look like routine administration.

Identity perimeter

Identity is presented as a leading cloud security issue. Compromised credentials, over-privileged service accounts, and weak identity governance are common entry points for cloud breaches. Once inside, attackers can move between resources using legitimate cloud tools and APIs.

Earlier Google Cloud research identified weak or absent credentials and configuration errors as major drivers of cloud incidents. The new report maintains that focus and places identity protection at the centre of cloud security strategy.

This shift is becoming more important as organisations expand their use of automation, integrations, and machine identities across hybrid and multi-cloud estates. More service-to-service connections and automated workflows increase the number of identities that must be managed, monitored, and reviewed.

Configuration gaps

Misconfigurations and exposed services remain a persistent weakness in cloud environments. They can provide initial access or enable privilege escalation. The report links this risk to growing architectural complexity as enterprises adopt multiple platforms, managed services, and development pipelines.

Security teams must track large numbers of settings, permissions, and network exposures across accounts and projects. Small errors can open paths for attackers. The report frames this as a recurring security hygiene challenge rather than a niche technical issue.

The research also notes that many attacks now abuse legitimate services or administrative features rather than deploying custom malware. This can allow attackers to stay quieter while pursuing goals such as data theft, ransomware deployment, or service disruption.

AI services targeted

The report highlights growing attacker interest in cloud-hosted AI and machine learning services. As organisations deploy AI tools across business functions, threat actors are exploring ways to exploit those services as part of broader attack chains.

Compromised AI resources can create new risks, including data theft and model manipulation. The report also warns that attackers may use AI resources for further malicious activity, including automated phishing campaigns and malware development.

The findings reflect a wider expectation among security analysts that AI will play a larger role in cyber operations. The report suggests attackers could use the technology to increase the scale and speed of activity and to raise sophistication.

Cloud as cover

Attackers are not only targeting cloud environments; they are also using legitimate cloud infrastructure to run parts of their operations. The report says cybercriminals and nation-state groups use cloud services to host malware, operate command-and-control systems, and stage attacks.

Operating inside well-known cloud platforms can make malicious traffic appear more trustworthy and reduce the effectiveness of older security approaches that rely on blocking unfamiliar infrastructure. The report calls on organisations to monitor both their own cloud estates and the cloud-hosted infrastructure used by adversaries.

Defensive priorities

The report recommends prioritising identity controls, continuous monitoring, and stronger cloud security hygiene. It calls for least-privilege access, improved credential management, and regular configuration audits, as well as better visibility across cloud workloads as environments expand.

Threat intelligence and automated security operations also feature in the recommendations. Integrating intelligence and automation into cloud environments, it argues, can improve detection and speed up response.

As organisations continue migrating critical workloads into cloud services, the report describes cloud security as a strategic priority that must evolve as attacker tactics change.

Related stories
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks
CommBank deploys AI to spot emerging fraud patterns
The real-time data solution to the AI energy problem

Top stories

Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools