Moving to the cloud doesn't automatically make you more secure — or less. It changes the specific controls you need to run, and it raises the cost of missing any of them. Here are the controls that separate firms that sleep well from firms that get uncomfortable calls at two in the morning.
Continuous configuration monitoring
Misconfiguration is the number-one cause of cloud incidents by a wide margin. A single public storage bucket, over-permissive role or exposed management endpoint can undo every other control in your program. Tools that continuously scan for drift, alert on new exposures and auto-remediate the well-understood ones are non-negotiable in 2026.
Least-privilege at machine speed
Roles that were 'temporary' three years ago are the source of most breaches we see. Just-in-time access, PIM, and quarterly access reviews take this problem off the table — and produce the evidence insurers and clients now expect to see.
Logging you can actually query
If your logs live in five different consoles and nobody can join them, you don't have logs — you have an archive. Consolidated, queryable telemetry is what turns detection into response, and it is often the difference between a two-hour incident and a two-day incident.
Backups that are actually recoverable
Backup jobs that succeed and restores that fail are the most common horror story we see in cloud environments. Test restores quarterly at minimum, keep immutable copies, and document the recovery time you actually observed — not the recovery time your vendor promised.
Identity-aware access to management planes
Cloud management-plane access is the softest target attackers now pursue. Conditional access, PIM, session recording and just-in-time elevation should be enforced on every subscription and project. Long-lived admin credentials should not exist.
Cost anomaly detection as a security signal
Sudden cost spikes in a cloud environment are frequently the first observable signal of a compromise — cryptomining, data exfiltration, or lateral movement. Firms that treat unexpected cost anomalies as a security signal, not just a finance one, catch incidents materially earlier.
Want us to score your current cloud controls against this list? Reach out, or subscribe below for our next practical security brief.



