TL;DR: 80% of organisations store sensitive data in the cloud, 53% experienced a cloud infrastructure cyberattack in the prior 12 months, and 49% saw unplanned remediation costs after an attack, according to Netwrix’s 2022 survey of 720 IT professionals. The governance gap is not cloud adoption itself, but the fact that data, access, and detection controls are still maturing unevenly.
At a glance
What this is: Netwrix’s 2022 cloud data security report shows cloud adoption continuing while sensitive data exposure, attack frequency, and remediation costs remain high.
Why it matters: For IAM and identity security teams, the report underscores that cloud risk is still being driven by access, credential, and governance weaknesses that affect NHI, autonomous, and human identity programmes alike.
By the numbers:
- 80% of organizations store sensitive data in the cloud
- 53% of respondents experienced a cyberattack on their cloud infrastructure within the last 12 months
- 49% of IT pros said that an attack led to unplanned expenses to fix security gaps
- 720 IT professionals all over the globe were surveyed in March 2022
👉 Read Netwrix's 2022 cloud data security report
Context
Cloud security is the discipline of controlling who and what can reach cloud data, services, and management planes. In this report, the main problem is not whether organisations are using cloud systems, but whether their identity, data, and monitoring controls have kept pace with that shift.
That gap matters to IAM and NHI programmes because cloud environments concentrate sensitive data, privileged access, and machine credentials in the same operational stack. When those controls lag, exposure becomes a governance problem as much as a technical one.
The survey frame is broad rather than niche, so the starting position is typical: many organisations are adopting cloud services faster than they are hardening the identity and access model around them.
Key questions
Q: How should teams reduce cloud data exposure without slowing cloud adoption?
A: Start by linking sensitive datasets to the identities and roles that can reach them. Remove unused access, separate read from write privileges, and require ownership for every high-risk cloud role. Cloud adoption does not need to stop, but access scope must be made explicit and reviewable before exposure becomes routine.
Q: Why do cloud incidents so often become expensive remediation events?
A: Cloud incidents spread cost because the same identity or misconfiguration can affect multiple services, regions, or accounts at once. Once access is broader than intended, teams must investigate, reconfigure, and verify many control points. The cost is usually a sign that identity scope and monitoring were too loosely governed.
Q: What do security teams get wrong about cloud data protection?
A: They often focus on where data is stored and miss which identities can actually move it. Storage labels and encryption help, but the real breach path is usually access scope, token use, and service permissions. Cloud data protection fails when governance stops at the repository and ignores the identity layer.
Q: How can organisations tell whether cloud security controls are working?
A: Look for evidence that access is shrinking, not just that alerts are increasing. Fewer broad roles, fewer unmanaged service credentials, and faster correlation between identity events and data access are stronger signs of control health. If investigation still requires manual stitching across tools, the programme is not yet operationally mature.
Technical breakdown
Cloud data exposure and access paths
Cloud data becomes difficult to govern when storage, sharing, and service access are spread across multiple platforms and accounts. Sensitive information often sits in object storage, SaaS repositories, and application back ends that depend on identities, tokens, and role grants rather than a single perimeter. The risk is not just where the data lives, but how many identity paths can reach it. In practice, cloud data security depends on understanding which identities can read, copy, export, or modify sensitive records across the environment.
Practical implication: map cloud data access to identity and privilege paths, not just to storage locations.
Why cloud incidents turn into cost events
Cloud breaches often become expensive because the attack is not limited to one asset. A compromised credential, mis-scoped role, or exposed data set can force investigation across multiple environments, reconfiguration of permissions, and follow-on remediation in dependent systems. That creates unplanned spending on containment, audit work, and control repair. The operational lesson is that cloud security failures compound quickly when identity scope and detection coverage are not tightly aligned.
Practical implication: treat cloud incident cost as a signal of control sprawl, not just of attack severity.
Detection time in cloud environments
Detection time in the cloud depends on telemetry quality, identity logging, and whether security teams can correlate access events with the data they protect. If alerts are fragmented across providers, teams may see suspicious activity only after data movement or privilege abuse has already occurred. Faster detection is less about one tool and more about whether identity, storage, and workload logs can be tied together into a usable investigation path.
Practical implication: consolidate identity and workload telemetry so cloud access anomalies can be investigated before data exfiltration completes.
Threat narrative
Attacker objective: The attacker aims to reach sensitive cloud data or management paths with enough access to cause disclosure, disruption, or expensive remediation.
- Entry occurs when cloud exposure begins through overshared access, weak monitoring, or an externally reachable cloud resource.
- Escalation follows when the attacker uses that access to reach sensitive data, adjacent services, or management functions.
- Impact is the breach, remediation spend, and operational disruption that follow data exposure or service compromise.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Cloud data security is really identity security with a storage problem attached. The report’s numbers show that sensitive data is already widely resident in cloud platforms, which means the practical control surface is no longer just storage configuration. It is the combination of who can reach the data, which machine identities can move it, and how quickly those paths are detected. Practitioners should treat cloud data security as an identity governance problem first, not a file-system problem.
Standing cloud access turns routine exposure into repeatable loss. When identities retain broad access to cloud data and management planes, a single compromise can be replayed across multiple services instead of ending at one endpoint. That is the governance failure this report points to: access scope is often broader than the business process requires. Teams should narrow standing privilege before they try to optimise detective tooling.
Cloud adoption is outpacing control maturity in a way that breaks shared accountability. Security, platform, and data owners often each see part of the problem, but none owns the whole path from credential to dataset. This is where NIST Cybersecurity Framework 2.0 governance and identity controls need to converge with cloud operations. The practical conclusion is that cloud risk committees must measure access scope and detection coverage together, not separately.
Machine identities deserve the same scrutiny as human accounts in cloud environments. Many cloud incidents are not caused by a person clicking the wrong thing once, but by service credentials, tokens, or overly permissive roles that persist and spread quietly. That makes NHI lifecycle discipline, including entitlement review and rotation, a core cloud control rather than a niche hygiene task. Practitioners should audit machine access with the same rigour they apply to privileged human access.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- As cloud and AI estates converge, the next control gap is not visibility alone but whether identity governance can keep pace with machine access growth.
What this signals
Cloud adoption is now a governance test, not a migration milestone. Once sensitive data is already resident in the cloud, the programme question changes from whether to move workloads to whether access, logging, and ownership can be made deterministic. That means cloud security leaders need to measure entitlement scope and data reach together, because separate reporting hides the real attack surface.
Identity telemetry must become the centre of cloud investigations. If teams cannot trace a data event back to the role, token, or service credential that enabled it, the response process is already behind. A cloud programme that cannot join access logs to storage activity will struggle to prove control effectiveness after an incident.
With 70% of organisations granting AI systems more access than human employees, per The 2026 Infrastructure Identity Survey, cloud governance is moving into a world where machine access growth can outpace human review cycles. That shift makes entitlement discipline and telemetry correlation foundational programme priorities, not afterthoughts.
For practitioners
- Inventory cloud identities tied to sensitive data Build a single view of human accounts, service accounts, API keys, and tokens that can reach cloud data stores or management planes. Prioritise identities with write access, export rights, or privilege to change logging and policy settings.
- Reduce standing privilege in cloud roles Review cloud roles for overbroad access to storage, backups, and admin functions, then remove permissions that are not needed for current business use. Use recertification to force explicit ownership of every high-risk role.
- Correlate identity and storage telemetry Join authentication logs, role assumption events, object access logs, and alerting into one investigation path so suspicious access can be traced before data leaves the environment. Make sure the team can answer who accessed what, when, and through which identity.
- Measure remediation cost as a governance metric Track unplanned spend after cloud incidents, including recovery labour, policy repair, and control reconfiguration. Use that number to justify access cleanup, logging improvements, and ownership fixes instead of treating cloud security as a pure tooling budget issue.
Key takeaways
- Cloud risk in this report is driven less by adoption itself than by the identity paths that reach sensitive data.
- The reported attack and remediation figures show that cloud incidents quickly become governance and cost problems, not just technical events.
- Teams should prioritise access scope, telemetry correlation, and role ownership before they try to optimise cloud security maturity metrics.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Cloud access scope and identity governance are central to the report. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Service credentials and tokens in cloud environments need lifecycle control. |
| NIST Zero Trust (SP 800-207) | AC-4 | Cloud data access should be continuously verified, not assumed from network position. |
Track machine credentials under NHI-03 and rotate or retire them on a defined schedule.
Key terms
- Cloud data security: Cloud data security is the practice of protecting information stored and processed in cloud services. It combines access control, monitoring, and governance so that sensitive data cannot be reached, copied, or modified by identities that do not need that level of access.
- Standing privilege: Standing privilege is persistent access that remains available to a user, service account, or workload beyond the moment it is needed. In cloud environments, it increases exposure because broad roles and long-lived credentials can be reused repeatedly if they are not reviewed or constrained.
- Machine identity: Machine identity is the set of credentials and permissions used by non-human systems such as workloads, APIs, tokens, and service accounts. In cloud programmes, it often becomes the hidden path to sensitive data because it operates continuously and is frequently over-permissioned.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Netwrix: 2022 Cloud Data Security Report. Read the original.
Published by the NHIMG editorial team on 2025-09-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
