Big Tech

Cloud Adoption Increases 57% with Multi-Cloud Security Challenges Rising

ByAdmin

PublishedApril 9, 2025

New research commissioned by Qualys and conducted by Dark Reading sheds fresh light on the various ways information security professionals are coping — or struggling — with the challenges and nuances of safeguarding cloud and SaaS assets, including the measurement, communication, and elimination of cyber risk in the cloud.

Key findings from the research include:

Cloud adoption has become both ubiquitous and complex. A majority of organisations surveyed (57%) use two to three cloud service providers, and 58% have at least five corporate-wide SaaS applications deployed. To secure this intricate environment, most (60%) are required to manage and reconcile outputs from two or more separate cloud and SaaS security tools — a task they find both challenging and suboptimal.

For many professionals, sleepless nights are a reality. When asked about their biggest concerns, security defenders pointed to cost (54%), system reliability and performance (36%), and the limited availability of cloud-specific security staff skills (27%) as the primary issues surrounding cloud and SaaS environments.

Attacks remain relentless. The migration of data and applications to the cloud, alongside the adoption of SaaS, introduces a host of new risks. Enterprises are increasingly worried about threats such as account hijacking, phishing, ransomware and malware, data exfiltration, advanced persistent threats, and distributed denial-of-service (DDoS) attacks.

One common area of concern is configuration chaos. Both cloud (24%) and SaaS (33%) security concerns centre on misconfigurations. However, the level of concern often appears to fall short of the actual scope of the misconfiguration problem, which is a growing challenge in real-world scenarios.

Situational blindness is another issue. Few enterprises engage in ongoing or continuous assessments of their cloud and SaaS environments. Instead, security evaluations typically occur on a less frequent basis, ranging from quarterly (18% for cloud, 11% for SaaS) to yearly (25% cloud, 26% SaaS), or, in some cases, not at all.

Enterprises are also struggling with difficulty patching. Concerns over adversaries exploiting unpatched vulnerabilities in web applications (39%) and cloud environments (23%) are prevalent. Nearly 1 in 5 organisations report difficulty in applying security updates and patches, leaving them exposed to attacks due to exploitable vulnerabilities.

Finally, sluggish response times have become a pressing issue. Information security responders cite a lack of skilled workers (49%), limited visibility into cloud and hosted environments (46%), and the inherent complexity of cloud-centric incidents (46%) as their primary concerns.

**Photo: Shilpa Gite, Senior Manager, Cloud Security Compliance, Qualys**

“The data starkly highlights the real-world challenges defenders face when trying to adapt traditional security practices and methods — such as managing configurations and vulnerabilities, controlling access, and consolidating siloed security tools — into the defence of dynamic multi-cloud and multi-SaaS environments,” commented Shilpa Gite, Senior Manager, Cloud Security Compliance at Qualys. “This research emphasises the need for a comprehensive, unified, strategic approach to cloud and SaaS security, combining continuous scanning and vulnerability assessments, automated remediation efforts, AI-powered threat detection and response capabilities, and cross-platform risk prioritisation.”

To enhance their security posture, organisations should consider:

Implementing continuous monitoring and assessment: Organisations should move away from periodic assessments and adopt continuous security monitoring to detect and mitigate threats in real time. Continuous assessment allows for the timely identification of vulnerabilities, which often emerge due to regular updates and configuration changes in cloud and SaaS environments.

Adopting a unified security platform: Using a single, integrated security platform to manage all aspects of security across on-premises, cloud, and SaaS environments is crucial. A unified platform provides comprehensive visibility, streamlines security operations, and ensures consistent policy enforcement, thus reducing the risk of security gaps and inefficiencies.

Enhancing identity and access management (IAM): Proper IAM practices are essential for securing access to sensitive data and systems, especially in cloud and hosted environments. Organisations need robust IAM solutions that include multi-factor authentication, least-privilege access, and regular access reviews to prevent unauthorised access and minimise insider threats.

Leveraging automation for security processes: Automating key security processes — such as vulnerability scanning, patch management, configuration management, and incident response — significantly enhances operational efficiency and reduces the risk of human error. Automation particularly empowers under-resourced security teams, enabling them to swiftly address threats and maintain a proactive, mature security posture.

Investing in advanced threat detection and response capabilities: To counter sophisticated threats such as advanced persistent threats (APTs), ransomware, and next-generation malware, organisations should invest in AI-powered threat detection and response solutions. These advanced capabilities enable rapid detection and response to threats, helping minimise potential damage.