The unseen risks of cloud storage for businesses

Cloud storage is used by most businesses, with 78% of respondents to a 2024 PwC survey indicating they’ve adopted cloud across most of their organizations. But many firms are unknowingly opening themselves up to security and data protection risks: sensitive data is being held in 9% of publicly-accessible cloud storage, and 97% of this information is classified as restricted or confidential, according to Tenable's 2025 Cloud Security Risk Report.

Over half of organizations using Amazon Web Services (AWS) ECS task definitions have at least one “secret” residing there. This creates “a dangerous exposure path” in cloud infrastructure entitlements, Tenable said.

Exposed data includes API keys, access and encryption keys and tokens, as well as usernames and passwords, according to the report.

As firms move away from on premises infrastructure towards cheaper and more efficient cloud services, they aren’t always considering the risk. Most companies have already migrated this data over, meaning they have to work backwards to secure it.

“Too often, the convenience of cloud overrides the need for careful consideration, and critical files migrate over by default, or due to expediency,” says Ali Sheikh, digital and cybersecurity expert at PA Consulting. “This transition isn’t always accompanied by robust oversight or shared understanding of risk.”

So why has such sensitive data ended up in insecure cloud storage and what can firms do to gain control over it?

Migration issues

Cloud storage has become the default for businesses moving away from on premises infrastructure due to its flexibility and ease of use. However, in the rush to migrate, many organizations “skip over essential security configurations”, says James Round, cyber security consultant at Pentest People. “We've seen this repeatedly in assessments when clients move to the cloud without applying strict access controls or properly safeguarding sensitive data including personally identifiable information.”

As firms strive for ease of access and the ability to quickly share information across teams, credentials, API keys and other sensitive details can end up being stored in plaintext, says Round.

Bernard Montel, EMEA technical director and security strategist at Tenable describes “numerous instances” of inadvertent exposure, misconfigured access settings and “overly permissive policies” in cloud environments.

For example, developers frequently utilize privilege elevation for short-term access during application or project development, with these privileges revoked once the project concludes. “But this is often forgotten and the access becomes permanent,” Montel warns.

Simple missteps in cloud-based development can “swing the door wide open for attackers”, says Crystal Morin, cybersecurity strategist at Sysdig. For instance, publicly exposed data is “shockingly easy” to find using common free open source tools, she says. “Combine public exposure with misconfigurations, unpatched vulnerabilities, or weak credential management and attackers can breach cloud systems in minutes.”

In fact, about ten minutes is all that stands between a cloud misconfiguration and data leaks or intellectual property theft, says Morin.

Without strong access controls and clear data handling policies, the confidentiality and integrity of critical systems can be “seriously undermined often” without the business realizing until after an incident has occurred, Round warns.

Adding to the issue is the still widespread misunderstanding that cloud providers manage all security, when in fact configuration responsibilities lie with the customer, he says.

If this led to a cloud breach or data leak the consequences could be huge, with customers potentially exposed to hackers and companies falling foul of laws such as the General Data Protection Regulation (GDPR).

Storing confidential or restricted data in exposed locations is “a direct path to compliance violations”, says Kim Larsen, CISO at Keepit.

In addition to fines, firms are exposing themselves to brand damage and operational disruption, says Larsen. “If you lose access to your identity and access management systems such as Entra ID or Okta, you’re not just exposed – you’re locked out of your own company.”

How to gain visibility and secure cloud data

The amount of sensitive data stored in the cloud is a concern, but firms can get a handle on the issue using the right policies and technology.

In the first instance, IT leaders must establish clear cloud storage policies, processes and security controls, and communicate them across the organization, says Sam Peters, chief product officer at ISMS.online.

Businesses should also “thoroughly vet the security posture of their cloud suppliers”, says Peters.

Visibility is key to securing data in the cloud. You need to know what data you have, where it lives, and who can access it, says Larsen. “Classify that data. Encrypt it. Monitor access with defined time limits and remove standing privileges. Don’t assume that just because something’s behind a login it’s safe — credentials are one of the top targets for attackers. “

Regular monitoring is key, Round says. Tools include AWS Security Hub and Microsoft Defender for Cloud, which offer “a centralized view of risks, alerts, and compliance gaps”, he adds.

Combine this with a least-privilege access model, automated alerting, and default denial of public access to build strong cloud hygiene, Round advises. “A proactive approach, supported by continuous review and enforcement of internal policies, is essential for preventing breaches and maintaining control over critical assets.”

When securing cloud data, it also helps to look at things from a different perspective. Richard Cassidy, EMEA CISO at Rubrik urges security teams to “act like attackers, by targeting high-value data first and looking at all the possible ways to access it”. Teams can also look to put stronger controls in place, improve their recovery strategies, and utilize continuous backups much as they would with data held on premises, he adds.

As increasing amounts of data is created and stored in cloud services, gaining control over your own estate is important. Once you have visibility of information residing in the cloud, regular audits, strong authentication and clear policies are essential, according to Sheikh.

It’s important to get all employees on board, so they understand that security is everyone’s responsibility, he says. “Cultivating a culture where everyone, from executive to end user, sees themselves as a guardian of data, shifts security from a technical afterthought to a shared value,” he says.