The 2025 Thales Cloud Security Study, based on insights from nearly 3,200 respondents across 20 countries, highlights that despite significant investment and cloud security being the top security spending priority, organizations continue to struggle with securing their cloud environments. The increasing complexity of hybrid and multicloud infrastructures, coupled with the rapid adoption of AI initiatives, is intensifying these challenges. A concerning trend is the rise in cloud-based attacks, particularly those leveraging stolen credentials and secrets. While some progress is noted in encryption adoption, human error remains a significant vulnerability. The study emphasizes the critical need for streamlining operations, integrating security tools, and adopting unified security management platforms to enhance overall security effectiveness and resilience in the evolving cloud landscape.

Key Themes and Important Ideas/Facts:

1. Cloud Security as a Persistent Top Priority and Ongoing Challenge:

• Top Spending Priority: Cloud security consistently ranks as the most pressing security discipline and the top security investment priority. "Nearly two-thirds of respondents (64%) identified cloud security as one of the top five most pressing security disciplines, with 17% ranking it as the No. 1 discipline." This indicates a continued struggle despite considerable investment.
• Complexity Outweighs Investment: Despite its status as the top security spending priority, "most organizations require significant advancement in their cloud security posture and operations." This suggests that current investments are not fully addressing the inherent complexities and evolving threats.

2. Increasing Complexity as the "Enemy of Cloud Security":

• Hybrid and Multicloud Environments: The average number of public cloud providers used by enterprises has risen slightly to 2.1, with most organizations managing at least two cloud platforms in addition to on-premises systems.
• SaaS Application Proliferation: "Respondents on average reported 85 SaaS applications in use, a 6% increase from last year." Managing security across numerous SaaS applications, each with varying controls and visibility, adds to the complexity.
• Cloud More Complex than On-Premises: "55% of respondents said securing cloud environments is more complex than securing on-premises infrastructure, marking a 4-percentage-point increase from last year."
• Security Tool Sprawl: A significant contributor to complexity is the proliferation of security tools. "Nearly two-thirds of respondents, or 61%, reported using five or more tools for data discovery, monitoring or classification. Similarly, 57% of respondents use five or more enterprise key managers to manage encryption." This tool sprawl increases the risk of misconfiguration and operational errors.

3. Escalating Cloud-Based Attacks, Especially Credential-Based:

• Cloud as a Primary Target: "Four of the top five reported attack targets are cloud-based." This highlights a shift in attacker focus towards environments where data is highly concentrated.
• Rise of Access-Based Attacks: While "about half of respondents cited an increase in direct attacks to compromise infrastructure (54%), more than two-thirds reported an increase in access-based attacks leveraging stolen credentials and secrets (68%)." This emphasizes the critical vulnerability posed by compromised identities.
• Sensitive Data in the Cloud: "85% of respondents reported that 40% or more of their cloud data is sensitive, up from 61% of respondents last year." This increases the impact of successful breaches.

4. The "Liability that is the Human in the Loop":

• Human Error as a Leading Cause of Breaches: Despite external attackers being the primary concern, "human error remains the leading cause of security breaches." This points to a disconnect between perceived threats and actual vulnerabilities.
• Weak Authentication: While Multifactor Authentication (MFA) is the most widely deployed mechanism to secure cloud access, "only 65% reported that multifactor authentication (MFA) is in place to defend cloud access." The combination of weak authentication and unencrypted sensitive data is a critical risk.
• Skills Gap Exacerbates Issues: The study notes that "The skills gap and increasing complexity of cloud security operations only make this situation worse."

5. The Impact of AI Initiatives on Cloud Security:

• AI as a Pressure Point: "The rapid push to support AI initiatives, which are often heavily cloud-dependent, further intensifies the urgency, as effective and efficient data protections are required to deliver on the promise of AI."
• Budget Strain: "More than half (52%) of respondents indicated that AI security spending was eating into existing security budgets." This raises concerns about resource allocation and potential underfunding of core cloud security efforts.
• API Security for AI: Mature AI services typically rely on APIs, making their security "critical to AI initiatives."

6. Digital Sovereignty and Data Protection Strategies:

• Drivers for Digital Sovereignty: The top reported driver for data sovereignty efforts is to "ensure data and workload portability (33%)", significantly ahead of meeting local or global regulatory mandates.
• Encryption as a Solution: "Encryption-based data protections (42%) are broadly considered an effective means to mitigate data location concerns."
• Progress in Encryption Adoption, but Gaps Remain: While "organizations on average reported that they are encrypting an increasing proportion of their sensitive cloud data," the figure "remains far short of where it should be."
• Key Management Challenges: The study highlights that 48% of organizations still manage encryption keys through cloud provider consoles, which "continues to add complexity, especially in multicloud environments." "Bringing your own key (BYOK)" strategies are gaining traction (28%).

7. Application and DevOps Security in the Cloud:

• Secrets Management as Top Challenge: "Secrets management was cited as the top application development security challenge." This is a critical concern given that "misappropriated secrets top the list of cloud management infrastructure attack vectors."
• API Attacks and Code Vulnerabilities: Concerns about "API attacks (38%) took a back seat to code vulnerabilities (59%) and software supply chain issues (48%)." However, the study notes that APIs are themselves subject to code vulnerabilities and can be a vector for supply chain compromises.

8. Path Towards a More Secure Cloud:

• Simplify and Integrate: "Organizations must also simplify cloud security management by integrating tools and leveraging common platforms."
• Unified Security Management: A "unified security management system that spans both on-premises and cloud environments reduces the burden on security teams while easing adaptation to changes in workloads or cloud providers, enabling innovation and optimization."
• Reduce Human Error: Improving security team productivity and efficiency is key to reducing human error, which is the leading cause of cloud data breaches.
• Prioritize Unencrypted Sensitive Data: The "significant portion of unencrypted sensitive data in the cloud represents a manageable risk that organizations should address with urgency."

In conclusion, the "2025 Thales Cloud Security Study" indicates that while organizations are investing heavily in cloud security, there is an urgent need to simplify cloud security management by integrating tools and leveraging common platforms. A unified security management system can alleviate the burden on security teams, reduce human error, and enable adaptability to evolving cloud environments and providers. By prioritizing effective data protection, streamlining operations, and addressing the human element, organizations can build a strong foundation for innovation and confidently embrace emerging technologies like AI.

Download the compl;ete report here.