Despite years of warnings, many organisations continue to fall short in mastering the basics of cloud security, leaving them vulnerable to breaches. A new report highlights significant gaps in identity management, expertise, and governance as cloud adoption accelerates worldwide.
Growing complexity in IT environments
The State of Cloud and AI Security 2025 report, commissioned by Tenable in collaboration with the Cloud Security Alliance (CSA), surveyed over 1,000 IT and security professionals across the globe, including in the Asia Pacific region. The study examined how organisations are managing risks in increasingly complex cloud and AI-driven infrastructures.
The findings show that 82% of organisations now operate hybrid environments, while 63% use multiple cloud providers. This layered approach has created an urgent need for unified visibility and consistent policy enforcement. However, most companies lack the necessary controls, creating blind spots that cyber attackers can exploit.
Identity becomes the weakest link
The report identifies identity as the primary battleground for cloud security. While 59% of organisations acknowledge that insecure identities and permissions are their biggest cloud risk, many are not taking sufficient action to mitigate it. Breach data shows that the leading causes of incidents are linked to poor identity governance, including excessive permissions (31%), inconsistent access controls (27%), and weak identity hygiene (27%).
These issues point to more than isolated errors. According to the study, they reflect systemic governance failures in how organisations manage identity across the enterprise.
Skills gap undermines progress
A lack of expertise is also hindering progress. More than a third of organisations (34%) cited a shortage of skilled professionals as their greatest challenge in cloud security. This skills gap contributes to unclear strategies, reported by 39% of respondents, and a disconnect between security teams and leadership. Almost one-third (31%) believe their executives do not sufficiently understand cloud security risks, limiting the support, budgets, and resources needed to address the problem effectively.
Liat Hayun, Vice President of Product and Research at Tenable, said: “Identity has become the cloud’s weakest link, but it’s being managed with inconsistent controls and dangerous permissions. This isn’t just a technical oversight; it’s a systemic governance failure, compounded by a persistent expertise gap that stalls progress from the server room to the boardroom. Until organisations get back to basics, achieving unified visibility and enforcing rigorous identity governance, they will continue to be outmanoeuvred by attackers.”
The report concludes that organisations need to strengthen their foundations in identity management, invest in expertise, and align leadership with security priorities if they are to reduce exposure in increasingly fragmented cloud environments.
