Cloud computing has become core to how organisations operate, with enterprises and telecom operators relying on it to manage applications, data and support technologies, such as 5G, artificial intelligence (AI) and edge computing. This growing dependence on the cloud is making security management harder. Unlike traditional IT systems that operated within defined boundaries, cloud environments are distributed and constantly evolving. Workloads move across platforms, configurations change frequently, and multiple users and systems interact at different levels. As a result, maintaining visibility and control becomes more challenging.

One of the most common issues in cloud set-ups is misconfiguration. This includes leaving storage open to public access, using incorrect network settings, or very broad access permissions. These are often small mistakes, but they can expose large amounts of data if not fixed in time. Identity and access management is another weak area. In many cases, users are given more access than required. Over time, this builds up and creates multiple entry points for attackers. If one account is compromised, it can lead to wider access across systems.

Application programming interfaces (APIs) are also becoming a key risk point. Since cloud services rely heavily on APIs to connect different applications and services, any weakness here can be exploited. Poorly secured APIs can allow unauthorised access or data leaks without being noticed immediately. Another issue is the lack of clarity around responsibility. While cloud providers secure the underlying infrastructure, organisations are responsible for securing their own data and applications. This gap in understanding often leads to areas being left unprotected.

The move towards multicloud and hybrid environments has also made security management more complex. The diversity of security settings and tools across different platforms makes it harder to maintain a consistent approach. For telecom operators, the implications are more significant. As networks become more software-driven and cloud-native, security is directly linked to network reliability and service delivery. Any lapse can have a wider operational and user-level impact.

In response to these risks, organisations are adopting a range of security strategies to strengthen their cloud environments.

Security strategies

In-house security

As organisations spend more time on the cloud, many are realising that relying only on cloud providers for security is not enough. The shared responsibility model clearly defines roles, but in practice, companies are starting to take more direct control over their own security. One reason for this shift is visibility. When workloads are spread across different cloud platforms, it becomes difficult to get a clear view using only the tools provided by vendors. By building in-house security capabilities, organisations are able to monitor their systems more closely and respond faster to any issues.

There is also a need for customisation. Cloud providers offer standard security features, but these may not always match the specific requirements of every organisation. In-house teams can adapt policies, controls and monitoring systems based on their own network structure and risk levels.

Cloud security testing

Security testing was earlier done at fixed stages, such as before deployment or during audits, which does not work well in dynamic cloud environments where systems are updated frequently and configurations change often. Basic practices such as  vulnerability assessments and penetration testing remain important, as they help identify weaknesses and simulate real-world attacks. Configuration audits are also critical, especially because many cloud risks arise from simple set-up errors.

However, testing is now becoming more continuous. Instead of periodic checks, organisations are monitoring systems regularly to detect issues as they arise. Automation is playing a key role, with security checks being built into workflows so that vulnerabilities can be identified early, sometimes even before systems go live. This helps reduce the chances of risks reaching production.

Quantum-safe cloud

While most cloud security efforts currently address immediate threats, focus is shifting towards emerging risks. A key concern is the impact of quantum computing on existing encryption methods. However, with the development of quantum computers, there is a possibility that these encryption methods could be broken much faster than expected. This creates a long-term risk, especially for sensitive data.

Another issue is the “store now, decrypt later” approach. Attackers may collect encrypted data today and attempt to decode it in the future when more advanced computing becomes available. This makes it important to start thinking about developing stronger, future-ready security measures even before the threat fully materialises. In response, there is an increasing focus on quantum-safe or post-quantum cryptography. These are encryption methods designed to remain secure even in a quantum computing environment. Some cloud providers and governments have already started early testing and gradual adoption of such techniques. Even though quantum risks are still evolving, early awareness and gradual preparation can help avoid larger security challenges later.

Zero-trust architecture

In cloud environments where users, devices and applications connect from multiple locations, traditional perimeter-based security is no longer effective. This is where zero-trust architecture (ZTA) is gaining importance. The basic idea is to not trust the user or system by default, even if it is inside the network. Every access request is verified based on identity, device, location and other factors before it is allowed. In practice, this means stricter access controls. Users are given only the level of access they need, and that access is monitored continuously, not just at the time of login. If something changes, such as the device being used or the behaviour of the user, access can be limited or blocked.

ZTA is particularly useful in multicloud and hybrid environments where systems are spread across different platforms. It also supports remote work set-ups and distributed teams, which are now common, as well as helps secure access across network layers, including edge locations and core systems.

CNAPP and shift-left security

With the growing use of cloud, the way applications are built and deployed is also changing. Many organisations are now using cloud-native approaches, where applications are developed, updated and scaled in smaller, faster cycles. This also makes security management more demanding. This is where cloud-native application protection platforms (CNAPPs) are coming into focus. Instead of using separate tools for different parts of the cloud environment, CNAPPs bring multiple security functions together. It helps monitor configurations, protect workloads, and manage access from a single view. This makes it easier to track risks across complex cloud set-ups.

Another important shift is towards shift-left security. This simply means addressing security earlier in the development process rather than waiting until the final stages. Developers start checking for security issues while writing and testing code, which reduces the chances of problems appearing later in production. Automation supports this approach. Security checks can be built into development pipelines so that common issues are flagged automatically. This saves time and helps teams fix problems quickly without slowing down releases.

However, managing cloud security is not straightforward. Many organisations continue to face practical challenges while trying to secure their environments.

Key challenges

One of the biggest challenges in cloud security is misconfiguration. Cloud environments rely heavily on settings, and even small errors, such as open storage buckets, incorrect network rules or overly broad access permissions, can expose sensitive data. As these configurations change frequently with updates and deployments, keeping them secure at all times becomes difficult without continuous monitoring. Identity and access management is another concern. In cloud set-ups, access is spread across users, applications, services and even automated processes. Managing access across users, applications and services is complex. Over time, unused accounts and excessive permissions can build up, creating potential entry points for attackers.

Further, securing APIs is a growing challenge. Cloud environments depend on APIs to connect services and enable communication between systems. If these APIs are not properly secured, they can be exploited for unauthorised access or data extraction. Since APIs operate in the background, such risks are not always immediately visible. Lack of visibility across multicloud environments adds to the issues. Different cloud providers offer different security tools and interfaces, which makes it harder to maintain a consistent approach. As a result, tracking activity across platforms and identifying threats in real time becomes more difficult, especially at scale.

Another issue is the movement of applications and data across environments. As workloads shift between public, private and hybrid clouds, applying consistent security policies becomes challenging. Controls that are effective in one environment may not automatically work in another setting, leading to gaps.

Future outlook

Despite these gaps and issues, cloud security is continuing to evolve, with organisations shifting towards more proactive and integrated approaches. Instead of only reacting to threats after they occur, the focus is now on identifying and addressing risks earlier.

One emerging trend is the use of AI to detect unusual behaviour and respond faster to potential threats. These systems can analyse large volumes of data and flag issues that may not be easily visible to human teams, helping reduce response times and limit the impact of attacks. There is also a growing effort to bring security and network functions closer together. As cloud and network environments become more integrated, especially in telecom, security is increasingly being built alongside connectivity rather than treated as a separate layer.

Another focus area is building resilience, that is, preventing attacks while ensuring that services can continue even if a breach occurs. In this regard, backup systems, faster recovery processes and continuous monitoring are becoming standard parts of cloud planning.

Going forward, cloud security is expected to become more embedded into the overall architecture, with greater reliance on automation and real-time monitoring. For telecom operators, this will be particularly important as networks become more distributed and software-driven. In such environments, the ability to maintain consistent security across platforms will be critical to ensuring reliable service delivery and supporting future growth.