Cloud Cybersecurity 2025: Navigating Between Evolving Threats and Robust Defense Strategies

With widespread adoption, where studies indicate that over 90% of global enterprises use cloud services and a significant portion (over 70% for many companies) of their workloads reside there, the cloud has undeniably become the backbone of digital transformation. Offering unprecedented flexibility, scalability, and efficiency, it now hosts critical data and essential operations. However, this ubiquity and value make it a prime target for cybercriminals with increasingly sophisticated tactics. As we look ahead to 2026, it is crucial to understand the changing landscape of cyber threats targeting the cloud and to adopt proactive, intelligent response strategies.

The Fatal Attraction: Why is the Cloud Such a Target?

The massive migration to the cloud has concentrated a phenomenal amount of sensitive data and computing resources in a single virtual “location.” As highlighted by ANSSI’s report for 2025, attackers are “redoubling their interest in these environments to exploit their flaws.” Their motivations are varied, ranging from pure financial gain—via ransomware, theft of authentication data for resale, or illegal cryptomining—to strategic and geopolitical objectives, including espionage, destabilization of entities, or data destruction.

Cloud Threat Landscape: More Than Just a Passing Storm

The threats weighing on cloud environments are diverse and constantly evolving. Among the most concerning are:

• Ransomware: Far from being a novelty, ransomware operators constantly refine their techniques to maximize profits and evade detection. Double extortion campaigns, where stolen data is not only encrypted but also threatened with publication on the dark web, are commonplace. S3 buckets are particularly targeted.

• Theft of Authentication Data and Access Secrets: Credentials, passwords, and API keys are the Holy Grail for attackers. Once obtained, they can illegitimately access cloud resources. The compromise of a cloud service provider, as illustrated by the attacks against Okta, can serve as a “pivot” to reach numerous downstream victims.

• Illegal Cryptomining: Cybercriminals discreetly deploy cryptocurrency mining software on clients’ virtual machines (e.g., EC2 on AWS) or containers (ECS, EKS), exploiting their computing power at the clients’ expense. This is the new trend known as Denial Of Wallet (your credit card pays for it…).

• Distributed Denial of Service (DDoS) Attacks: Whether volumetric or targeting the application layer, DDoS attacks are gaining sophistication, threatening service availability and potentially leading to significant financial losses and reputational damage.

• Malware: Trojans, worms, and other malicious programs are regularly detected. Services like Amazon GuardDuty can identify their presence within various cloud services. More specifically, GuardDuty Malware Protection offers agentless scanning capabilities for Amazon EBS volumes attached to EC2 instances and container workloads, as well as for newly uploaded objects in Amazon S3 buckets. When malware is detected on an EBS volume (following a scan initiated by GuardDuty or requested on-demand) or on an S3 object, GuardDuty generates detailed findings. For S3, it can also tag infected objects, facilitating automated downstream actions, such as quarantine, to prevent malware propagation.

• Compromise of Instances, Accounts, and Buckets: Suspicious activities such as unusual API calls, port scans, use of temporary credentials from suspicious external IPs, or data exfiltration can indicate a compromise.

A study by Zscaler reveals an alarming fact: 86% of cyberattacks transit through encrypted channels, making their detection more complex without the right tools. The manufacturing industry, often perceived as a more vulnerable target due to the sometimes less mature security of its networks and the proliferation of unsecured IoT devices, is particularly targeted.

Artificial Intelligence: Ally or Enemy?

Artificial Intelligence (AI) and Large Language Models (LLMs) represent a true revolution, but also a double-edged sword in the field of cybersecurity:

• For Attackers: AI is leveraged to develop large-scale phishing, vishing (voice phishing), and social engineering attacks. It enables the creation of ultra-realistic and personalized content (emails, messages), making deception harder to detect (referred to as “deepfakes”).

• For Defense: AI offers valuable capabilities to analyze massive volumes of security alerts, eliminate false positives, and identify complex attack patterns. It can also be used to simulate attacks as part of security hardening exercises.

Cloud Defense Strategies: Building a Digital Fortress

Faced with these threats, a reactive security posture is no longer sufficient. It is imperative to adopt a proactive approach, relying on robust detection controls and well-rehearsed response plans. In the AWS ecosystem, for example, several tools and practices are essential:

• Advanced Detection Controls: Threat detection services like Amazon GuardDuty play a crucial role by analyzing various logs (CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs) in near real-time to identify suspicious activities and potential threats, without actually storing these logs. It relies on threat intelligence provided by AWS and third parties. However, for even broader visibility and protection, many organizations are turning to Cloud-Native Application Protection Platforms (CNAPP). These platforms integrate and correlate information from multiple sources, including GuardDuty findings, with other aspects of cloud security such as Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), and network security, offering a more holistic overview and allowing for more effective risk prioritization and remediation.

• Incident Response Playbooks and Runbooks: The AWS Security Incident Response Guide emphasizes the importance of developing detailed “runbooks.” These guides specify the step-by-step actions to take when a security incident occurs.

• Rigorous Identity and Access Management (IAM): This is the foundation of cloud security. The strict application of the principle of least privilege—granting users and services only the permissions strictly necessary for their functions—is fundamental. I repeat: The strict application of least privilege is FUNDAMENTAL!

• Systematic Data Encryption: It is recommended to encrypt sensitive data before storing it in the cloud (client-side encryption) or to use the cloud provider’s native encryption features, ideally retaining control of the encryption keys (Bring Your Own Key - BYOK).

• Isolation of Compromised Resources: In the event of an incident, the ability to quickly isolate affected resources is vital to limit the impact, prevent the attack’s spread, and prevent any further unauthorized access. It is often preferable to examine data related to a security event outside the potentially compromised account, for instance in separate, isolated AWS environments.

• Response Automation: Services like AWS Lambda can be used to automate certain response actions to security events, enabling a faster and more consistent reaction.

Influencing Factors and Underlying Trends

The cyber threat landscape is also shaped by broader dynamics:

• State and Non-State Actors: Countries like China, Russia, North Korea, and Iran have significant offensive cyber programs. Other nations, such as India, are actively developing their capabilities. These actors may target critical infrastructure, businesses, or institutions for espionage or destabilization purposes.

• Cybercrime-as-a-Service (CaaS): This flourishing business model makes cybercriminal tools and services (access-as-a-service, phishing-as-a-service, DDoS-as-a-service) accessible to a larger number of malicious actors, even those with limited technical skills.

• Dual-Use Commercial Services: Services like satellite telecommunications, used by both civilians and the military, are becoming targets. Attacks against these services can have repercussions for civilian customers.

• “Living-off-the-land” (LOTL) Techniques: Attackers increasingly use legitimate tools and processes already present on compromised systems to move laterally and exfiltrate data discreetly, making detection harder. For example, an attacker could use PowerShell, a command-line administration tool built into Windows, to execute malicious scripts, navigate the file system, or communicate with a command-and-control server, all without introducing new suspicious software that could alert detection systems.

• Email Attack Trends: HTML and PDF files remain the preferred vectors for malicious attachments. Spoofing popular shipping brands (DHL, Amazon, FedEx) remains a common tactic in phishing campaigns aimed at stealing user credentials.

Key Recommendations for Increased Cyber Resilience: An Organizational Transformation

To successfully navigate this complex environment, a purely technical approach is insufficient. An organizational transformation is necessary to integrate security at the heart of operations. Here are strategic pillars:

1. Adopt a Proactive and Integrated Security Posture:
   • What this implies: Go beyond simply reacting to alerts. This involves implementing robust detection controls (like Amazon GuardDuty, ideally integrated into a global CNAPP strategy), developing rapid and automated response capabilities (via runbooks and tools like AWS Lambda), and being able to quickly isolate compromised environments for investigation. Continuous evaluation of tools and partners is also crucial.
   • Required organizational change: Break down silos between security teams (SecOps), cloud operations (CloudOps), and development (DevSecOps). Foster close collaboration, supported by clear processes and extensive automation. The goal is to drastically reduce Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) by embedding security by design.
2. Establish Rigorous Access Governance and Data Protection:
   • What this implies: Strictly apply the principle of least privilege for all accesses (IAM), actively monitor identity federation configurations, and strengthen authentication (MFA) and password management processes, especially for highly privileged accounts. Systematic encryption of sensitive data, at rest and in transit, with strict key control, is non-negotiable.
   • Required organizational change: Spread a “least privilege” culture at all levels. Responsibility for access management and data protection must be shared and understood by all technical teams. Implement periodic access reviews, configuration audits, and clear, enforced data security policies.
3. Cultivate Threat Intelligence and Continuous Adaptability:
   • What this implies: Stay constantly informed about the latest attack techniques (AI, LOTL, etc.), new vulnerabilities, and emerging threats. Develop forensic analysis capabilities to understand incidents and learn from them.
   • Required organizational change: Set up a Threat Intelligence function, whether internally or via specialized services. Encourage continuous training and certification of security teams and developers. Create isolated investigation environments (“sandboxes”) to analyze threats without risking contamination of production systems and allow for in-depth analysis. Foster a culture of sharing threat knowledge within the organization.

Cybersecurity in the cloud is not a destination, but a continuous journey of adaptation and improvement. By understanding threats, adopting intelligent defense strategies, and cultivating a culture of security, organizations can harness the power of the cloud while protecting their most valuable assets.