Cloud access management in multi-cloud: where are controls failing?

TL;DR: Cloud security access management is under strain as multi-cloud, manual credential handling, and incomplete lifecycle controls leave organisations exposed, according to Bravura Security’s analysis of 100 security leaders and cited breach data. The core issue is not tooling volume but whether identity governance can keep pace with changing access, rogue accounts, and recovery demands.

NHIMG editorial — based on content published by Bravura Security: cloud security access management risks and control gaps in multi-cloud environments

By the numbers:

• With the total cost of recovery from a ransomware attack rising to $5.13 million in 2024, cloud access control failures can turn identity gaps into expensive operational incidents.
• In 2022, 49% of teams used spreadsheets to store cloud passwords, while 75% managed application credentials this way.
• 12% reported using automated technology to identify and, y and remove rogue cloud accounts within three days.

Questions worth separating out

Q: How should security teams reduce cloud identity risk when passwords and credentials are still widely shared?

A: Security teams should remove informal credential sharing first, because shared spreadsheets and chat-based secrets create invisible persistence.

Q: Why do rogue cloud accounts increase security risk so quickly?

A: Rogue accounts matter because they preserve access after the organisation has lost the business reason for that access.

Q: When should organisations prioritise JIT access over standing privileges?

A: Organisations should prioritise JIT access whenever elevated access is used for recurring but task-scoped administrative work.

Practitioner guidance

• Eliminate spreadsheet-based credential handling Move cloud passwords and application credentials into managed secret workflows, then remove email and messaging as distribution paths for anything that authenticates to production systems.
• Set revocation SLAs for cloud identities Define maximum removal windows for rogue accounts, compromised passwords, and leaver access, then measure actual revocation time against those thresholds across environments.
• Unify JML across human and machine access Treat joiner, mover, and leaver events as a single governance process that covers employees, contractors, service accounts, and cloud workloads.

What's in the full article

Bravura Security's full analysis covers the operational detail this post intentionally leaves for the source:

• The survey context behind the cloud access management findings and how the numbers compare with earlier years.
• The article's breakdown of password management, JML, JIT access, MFA, and audit trail use in cloud environments.
• The specific SLA and remediation discussion around compromised passwords and rogue accounts.
• The vendor's suggested approach for evaluating where identity controls should be centralised across cloud systems.

👉 Read Bravura Security's analysis of cloud security access management risks →

Cloud access management in multi-cloud: where are controls failing?

Explore further

View Full Forum →  |  NHI Foundation Course →