TL;DR: Cloud infrastructure security depends on strong authentication, least privilege, logging, and Zero Trust, yet the source article notes that 98% of companies have suffered a cloud data breach in the past 18 months and that misconfigurations drive many incidents, according to StrongDM. The real problem is not cloud adoption itself but the gap between dynamic infrastructure and static IAM controls.
At a glance
What this is: This is a broad analysis of cloud infrastructure security, with the key finding that weak access control, overprovisioning, and incomplete logging remain the most costly mistakes.
Why it matters: It matters because cloud security failures often become identity failures, and IAM and NHI teams own the controls that limit blast radius when cloud environments change quickly.
By the numbers:
- 98% of companies have experienced a cloud data breach in the past 18 months.
- DDoS attacks have increased by 203% since 2021.
- 81% of all data breaches are linked to weak passwords.
- 80% of all hacking incidents involve stolen or reused login credentials.
👉 Read StrongDM's analysis of cloud infrastructure security best practices
Context
Cloud infrastructure security is the discipline of protecting cloud resources, data, and applications from unauthorized access and misuse. In practice, the problem is not just perimeter defense. It is identity control, because cloud environments move faster than manual access reviews, and that creates direct NHI governance pressure for service accounts, tokens, and administrator credentials.
The article’s core message is that organizations often secure the cloud unevenly: access grows faster than oversight, logs are incomplete, and least privilege is applied inconsistently. That is a typical failure pattern in cloud programs, and it becomes more visible as hybrid and multi-cloud estates expand. For teams building stronger identity controls, the relevant reference point is the Ultimate Guide to NHIs.
Cloud infrastructure security becomes an IAM problem as soon as users, workloads, and automation share the same control plane. When access is broad, static, or poorly logged, the environment can no longer tell whether an action was intended, delegated, or malicious. That is why cloud security has increasingly become a question of identity lifecycle discipline, not just platform hardening.
Key questions
Q: How should security teams limit cloud access without slowing delivery?
A: Use least privilege, but apply it to both human and non-human identities. Define narrow roles, time-bound access, and automatic revocation at lifecycle events. That keeps developers and operators productive while reducing standing privilege that attackers can reuse if credentials are exposed.
Q: Why do cloud environments make Zero Trust harder to implement?
A: Cloud environments change too quickly for static trust decisions. Workloads scale up and down, identities are often ephemeral, and access paths cross multiple platforms. Zero Trust therefore needs continuous verification, short-lived credentials, and policy enforcement that follows the identity rather than the network location.
Q: What is the difference between strong authentication and least privilege in cloud security?
A: Strong authentication proves that an identity is allowed in, while least privilege limits what that identity can do once inside. Both are necessary. Authentication reduces unauthorized entry, but least privilege reduces blast radius if an account, token, or workload identity is compromised.
Q: How can teams reduce risk from zombie accounts and stale credentials?
A: Automate deprovisioning, rotate shared secrets, and review dormant identities on a fixed schedule. Stale access is dangerous because attackers prefer accounts that are already trusted. If a credential has no current business purpose, it should be removed or reissued under a new owner.
Technical breakdown
Why cloud infrastructure security depends on identity boundaries
Cloud infrastructure security fails when identity boundaries are loose. In a cloud estate, resources are ephemeral, permissions change frequently, and administrators often rely on federated access across multiple services. That means authentication alone is not enough. IAM must govern entitlement scope, session duration, and revocation, while NHI controls must cover service accounts, API keys, and automation tokens that often outlive the workloads they support. Without those controls, an attacker who reaches one credential can move laterally across services that were never meant to share trust.
Practical implication: Treat every cloud credential as a governed identity with a defined owner, scope, and expiry.
Overprovisioning, zombie accounts, and privilege drift
Overprovisioning happens when accounts receive broader access than their role requires, often at onboarding, during role changes, or through group-based permissioning. Zombie accounts are the extreme version of this problem, where unused identities remain active long after they should have been removed. In cloud environments, these patterns are dangerous because they create persistent paths into production systems. Least privilege is the corrective principle, but it only works when provisioning and deprovisioning are automated and tied to lifecycle events rather than manual ticketing.
Practical implication: Map every cloud identity to a lifecycle control so unused or expanded access can be removed quickly.
Logging and Zero Trust in cloud environments
Logging and Zero Trust are complementary controls, not separate goals. Logging provides the evidence layer, showing who accessed what, when, and from where. Zero Trust provides the decision layer, continuously verifying access instead of trusting a network location or device by default. In cloud infrastructure, both matter because distributed services create too many trust edges for static approval models to work well. If logs are incomplete, incident response loses visibility. If Zero Trust is superficial, access decisions become one-time checks instead of continuous policy enforcement.
Practical implication: Use continuous verification and complete logging together so access, detection, and audit can reinforce one another.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Cloud infrastructure security is now an identity governance problem wearing a platform label. The article frames the issue around cloud posture, but the actual control failures are IAM failures: overbroad access, unmanaged credentials, and incomplete visibility. In modern estates, the boundary between human and non-human access is blurred, so cloud governance must include service accounts, tokens, and automation paths as first-class identities. Practitioners should treat cloud security as identity governance at scale.
Overprovisioning creates the identity blast radius that attackers exploit. When groups, departments, and legacy access patterns determine permissions, privilege accumulates faster than teams can review it. That drift is especially risky in cloud systems because automation and workload sprawl turn one excessive grant into many reachable systems. The practical lesson is to reduce standing privilege and design for revocation, not just onboarding.
Incomplete logging is not a detection gap only. It is a governance failure. If teams cannot reconstruct who touched critical assets, they cannot prove compliance or bound impact after an incident. Cloud security programs should therefore define logging as an identity accountability control, especially for privileged users and NHI activity. Practitioners should require logs that support both investigation and access certification.
Zero Trust only works in the cloud when it is enforced as a policy model, not a slogan. The article is right to connect cloud security with continuous authentication and monitoring, but the deeper point is that trust should be short-lived and revocable. That pushes teams toward stronger session controls, shorter credential lifetimes, and tighter workflow boundaries. Practitioners should align cloud access with Zero Trust principles that can actually be measured.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- For a broader operating model, see the Ultimate Guide to NHIs for lifecycle controls, ownership, and access review patterns.
What this signals
Cloud security programmes should assume that over-privilege is the default failure mode unless access is continuously reviewed. With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, the governance gap is no longer theoretical.
Identity blast radius: the practical unit of cloud risk is not the account itself, but how far that account can move once compromised. That means cloud teams need shorter access lifetimes, stronger session controls, and better revocation paths across humans and NHIs.
The next step for most programmes is to align cloud access review with workload identity management. The Ultimate Guide to NHIs gives practitioners the control vocabulary needed to connect provisioning, rotation, deprovisioning, and audit into one operating model.
For practitioners
- Inventory cloud identities across humans and NHIs Create a unified inventory that includes users, service accounts, API keys, tokens, certificates, and automation identities. Assign owners, record purpose, and require an expiry or review date for each identity so access does not persist by default.
- Replace group-based access with role-scoped permissions Remove broad department-level grants and map entitlements to job function, workload purpose, and environment. Enforce least privilege for both interactive users and cloud workloads so access is narrow enough to survive compromise with limited blast radius.
- Automate deprovisioning at lifecycle events Tie access removal to offboarding, role changes, and workload retirement. Build checks that remove dormant accounts, rotate shared secrets, and invalidate unused tokens so old access paths do not remain available after business changes.
- Treat logging as an access control requirement Require real-time logging for critical cloud assets, privileged sessions, and administrative actions. Ensure logs capture who accessed what, when, and where so incident response, audit, and access review all have the evidence they need.
Key takeaways
- Cloud infrastructure security breaks down first at the identity layer, where overbroad access and unmanaged credentials create the largest exposure.
- The biggest operational failures are still overprovisioning, zombie accounts, and missing logs, not exotic cloud-native exploits.
- Teams should respond by tightening least privilege, automating deprovisioning, and treating logging and Zero Trust as identity controls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Overprovisioning and stale credentials map directly to NHI lifecycle weaknesses. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access restriction are central to the article's control model. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Continuous verification and reduced trust are core to the Zero Trust argument here. |
Review cloud identities for excess privilege and automate revocation when access is no longer needed.
Key terms
- Cloud Infrastructure Security: Cloud infrastructure security is the discipline of protecting cloud-hosted systems, data, and administrative paths from unauthorized access and misuse. It combines IAM, monitoring, logging, configuration control, and recovery planning so cloud resources remain usable without creating excessive trust or persistent privilege.
- Zombie Account: A zombie account is an identity that remains active after it no longer has a valid business purpose. In cloud environments, these accounts are dangerous because they often retain access, can be forgotten during offboarding, and are attractive targets for attackers looking for trusted entry points.
- Zero Trust Architecture: Zero Trust Architecture is a security model that assumes no user, device, or workload should be trusted by default. Access must be continuously verified, limited to what is needed, and revoked when the risk signal changes, which makes it especially relevant in cloud and NHI-heavy environments.
- Least Privilege: Least privilege is the principle of granting only the minimum access required to complete a task. In cloud and NHI governance, it reduces blast radius by ensuring that human users, service accounts, and automation identities cannot move freely across systems if one credential is compromised.
Deepen your knowledge
Cloud infrastructure security, least privilege, and identity lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are hardening cloud estates with human and non-human identities in scope, it is worth exploring.
This post draws on content published by StrongDM: Cloud Infrastructure Security: Meaning, Best Practices & More. Read the original.
Published by the NHIMG editorial team on 2025-04-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
