Cloud security best practices for IT teams

Cloud environments have become a primary target for credential-based attacks. According to The Netwrix 2025 Cybersecurity Trends Report, 46% of organizations experienced a cloud account compromise in the past year. That figure is nearly three times higher than in 2020. This shows that moving to the cloud does not reduce risk. It shifts where that risk exists.

As risk moves into cloud environments, the way it must be managed also changes. Traditional on-premises security approaches do not carry over directly. Physical controls, network perimeters, and hardware-level visibility are no longer the main lines of defense.

In their place, organizations need strong identity governance, consistent configuration management, behavioral monitoring, and clear contractual assurances. Each of these must be intentionally built into every cloud deployment.

Organizations running hybrid environments face an added layer of complexity. Identity governance must extend across both on-premises systems like Active Directory and cloud identity providers. A gap in either environment can expose both.

The 19 cloud security best practices outlined below focus on these areas. They clarify what your organization is responsible for, what the provider handles, and how to close the gaps between both sides.

What is cloud security?

Cloud security is the set of controls, policies, and technologies that protect cloud-based systems, data, and infrastructure from unauthorized access, misconfiguration, and compromise. It covers identity and access governance, data protection, network controls, configuration management, and incident response across IaaS, PaaS, and SaaS environments.

Unlike on-premises security, cloud security operates under a shared responsibility model: the provider secures the underlying infrastructure, and your organization secures everything built on top of it. Where that boundary sits depends on the service model, and misunderstanding it is one of the most common sources of cloud exposure.

Why is cloud security important?

A strong cloud security program protects the organization's ability to operate, meet compliance obligations, and maintain the trust that cloud-dependent operations require.

The attack surface expands with every cloud adoption decision

Each new cloud service, identity, API endpoint, and data store extends the attack surface. Cloud environments accumulate risk faster than on-premises environments because provisioning is fast, self-service is common, and visibility is harder to maintain. The exposure compounds when teams lack the tooling to detect what has changed and who made the change.

Misconfiguration is the leading cause of cloud data exposure

Unlike on-premises environments where physical security provides a baseline, cloud resources are exposed by default to anyone with valid credentials and the right API call. A single misconfigured storage bucket or overly permissive IAM role can expose sensitive records that physical access would have protected on-premises.

Compliance obligations don't transfer to the provider

Selecting a cloud provider doesn't transfer your regulatory obligations. GDPR, HIPAA, PCI DSS, and sector-specific frameworks still apply to your data regardless of where it lives. Demonstrating compliance requires documented controls, audit trails, and evidence of ongoing monitoring, not just a signed service agreement.

Credential-based attacks dominate cloud incident patterns

When attackers target cloud environments, they don't need to exploit a vulnerability. They need a valid identity. There is no perimeter to breach when attackers already hold valid credentials. They authenticate as legitimate users and operate within the normal boundaries of the environment. Identity governance and behavioral monitoring are the primary controls that catch these intrusions before damage is done.

Hybrid environments create compounding governance gaps

Organizations running both on-premises Active Directory and Microsoft Entra ID must maintain consistent identity governance across two identity planes. Compromises in on-premises Active Directory can propagate into Entra ID through synchronization. A compromise that starts on-premises can reach cloud resources through synchronized groups, a risk pattern known as a hybrid pivot.

19 cloud security best practices

The practices below move from foundational infrastructure controls through identity governance, data protection, behavioral monitoring, and provider management. Where applicability differs across IaaS, PaaS, and SaaS service models, we note the distinction.

1. Assess risk before cloud adoption

Before adopting a cloud service, evaluate the risks associated with moving specific information systems to that environment. A thorough risk assessment should identify which security components your organization is responsible for, which controls you must implement internally, and which fall under the provider's jurisdiction. This assessment should precede migration decisions, not follow them.

2. Audit and automate configuration checks

The CSA Top Threats survey names misconfiguration among the top cloud security risks, and it consistently appears as a root cause in breach investigations.

Establish a configuration baseline aligned with your organization's policies or a recognized benchmark such as CIS Benchmarks AWS or CIS Benchmarks Azure.

Automate configuration checks with a monitoring solution that detects drift from that baseline. Investigate and resolve suspicious changes promptly rather than waiting for periodic reviews.

3. Protect IaaS platforms from external pressure

Implement malware protection across IaaS platforms. Maintain resilience against distributed denial-of-service (DDoS) activity targeting public cloud interfaces with appropriate cloud-native protections and traffic mitigation controls.

In PaaS and SaaS models, infrastructure-level responsibility shifts to the provider, though your organization retains responsibility for application-level protections in PaaS environments.

4. Deploy intrusion detection at the right layer

For IaaS: deploy intrusion detection systems at the user, network, and database levels. For PaaS and SaaS: this responsibility shifts to the provider. Know which layer your organization owns before deploying tooling. Misallocating detection resources to layers the provider already covers wastes budget; failing to cover layers that are your responsibility leaves control gaps.

5. Monitor for traffic anomalies

Traffic spikes can indicate DDoS activity, data exfiltration attempts, or lateral movement. Establish baselines for normal traffic patterns and configure alerts for significant deviations.

Credential-based intrusions blend into legitimate traffic and bypass signature-based detection. Behavioral baselines are the primary mechanism for catching them. Netwrix Auditor surfaces these patterns across cloud and on-premises environments.

6. Implement least privilege access

Assign only the permissions each user needs to perform their role: this is the principle of least privilege applied to cloud IAM. In cloud environments, over-provisioned access is a consistently exploited entry point. Attackers misuse valid, over-scoped credentials rather than exploiting technical vulnerabilities.

Apply least privilege at the user, group, and service account level. For hybrid environments, use Entra ID Entitlement Management for sensitive cloud resource access rather than synchronized hybrid groups, which can carry on-premises compromises directly into cloud environments.

7. Conduct regular entitlement reviews and revoke unnecessary rights

Cloud environments accumulate stale permissions faster than on-premises environments because provisioning is faster and self-service access is common. Periodically review and adjust permissions.

Remove any that are no longer tied to an active role or business need. Explicitly exclude all highly privileged accounts (Domain Admins and Enterprise Admins) from Entra ID synchronization scope.

The default configuration synchronizes these accounts unless you configure explicit OU-based or attribute-based filtering.

8. Make MFA mandatory across all cloud access

Enforce MFA for all users accessing cloud environments. The Unit 42 IR report identified the lack of MFA as the most prevalent contributing IAM factor in cloud cases in 2024. Absent MFA, compromised credentials give attackers immediate, persistent access with no additional barrier between initial compromise and full account takeover. Document any exceptions for service accounts where MFA is technically infeasible, and review those exceptions quarterly.

9. Monitor login activity for compromise indicators

Set alerts for login attempts from multiple endpoints, high volumes of failed logins in a short period, and logins from unusual locations. These patterns are early indicators of compromised credentials, not operational errors.

For hybrid environments, be aware that some credential validation flows, including the Resource Owner Password Credentials (ROPC) authentication flow, can validate credentials without generating a successful sign-in log event.

Organizations relying solely on sign-in logs for credential compromise detection have a documented blind spot.

10. Classify your data before moving it to the cloud

Data discovery and classification is the foundation of cloud data security. Categorize data by sensitivity and use the results to establish appropriate access controls, retention policies, and protection measures. Lack of visibility into sensitive data ranks among the leading cloud security challenges.

You can't govern what you haven't found. Automate classification to maintain consistency as data volumes grow. Certain data may require on-premises storage to meet security or compliance requirements. Know which data falls into that category before migrating.

11. Implement data access management and restrict sharing

Conduct frequent access privilege audits on your most sensitive data. This is the operational layer that data loss prevention controls depend on to be effective. Enforce rules against accidental public exposure and unauthorized external sharing.

According to the 2025 Verizon Data Breach Investigations Report, third‑party involvement in breaches roughly doubled year over year, rising from about 15% to 30% of analyzed incidents, which underscores the risk of uncontrolled external sharing.

To reduce that exposure, prohibit downloads of sensitive data to unmanaged or unsecured devices and require device verification before granting access to cloud‑based resources.

12. Monitor file downloads across cloud environments

Monitor for unusual download activity. Track users who download, modify, or share cloud-based data using automated monitoring across your IT environment. Unusual volume or timing patterns are early indicators of either insider risk or compromised accounts.

The Unit 42 report found that 29% of all incident investigations in 2024 involved cloud or SaaS environments, with 21% involving threat actors actively and adversely impacting cloud environments.

13. Encrypt data in transit and at rest

Encrypt all data before uploading it to the cloud. Maintain strict control over encryption keys using comprehensive key management practices.

The NSA-CISA advisory on cloud key management (March 2024) states that the security of cryptographic operations, including secure communication, access control, authentication, and data encryption at rest, relies entirely on proper key management.

For teams requiring maximum key independence, three approaches are worth evaluating based on security and operational requirements:

• BYOK (Bring Your Own Key): Customer generates and imports key material to the provider's key management service (KMS). The key resides in the provider's KMS after import.
• DKE (Double Key Encryption): Encryption requires two keys, one held by the customer and one by the provider. Neither party alone can decrypt.
• HYOK (Hold Your Own Key): The key never leaves customer-controlled infrastructure. The provider never has access to plaintext key material.

When deleting data, use cryptographic erasure following NIST SP 800-88 recommendations, which classify cryptographic erasure within the Purge sanitization category. NIST SP 800-88 explicitly requires documented verification of erasure.

Deletion alone does not meet the Purge sanitization standard. Ensure deletions are auditable through provider logging mechanisms such as AWS CloudTrail, Azure Activity Log, or GCP Audit Logs.

14. Develop and test a data recovery strategy

Regular backups with verified recovery procedures protect against both accidental and intentional data loss. Test recovery, not just backup: restore to a test environment periodically to confirm procedures work. Retest after any significant infrastructure change.

15. Use user behavioral analytics to detect anomalous activity

User behavioral analytics (UBA) establishes behavioral baselines for individual users and groups, then surfaces deviations that indicate potential threats.

Unusual access patterns, abnormal data downloads, and unexpected privilege escalation are behaviors that signature-based tools miss but behavioral baselining catches.

UBA works by comparing current activity against each user's historical baseline. Significant deviations, including first-time bulk access, unusually large data retrievals, or activity from new locations, flag as potential indicators of exfiltration, policy violations, or compromised credentials. In cloud environments where perimeter controls are absent, it's one of the few mechanisms that catches compromised accounts and insider threats before damage is done.

Monitor continuously, document baselines, and flag users whose behavior deviates from their individual or group norm.

16. Monitor for unauthorized external file sharing

Unauthorized or external file sharing is a common path for data loss in cloud environments. Threat actors routinely begin cloud attacks with stolen credentials, escalate privileges, and pivot into cloud environments to exfiltrate business-critical data before detection.

Automated monitoring should track who is sharing what, with whom, and whether that sharing is authorized by policy. Correlate sharing activity with behavioral baselines established through UBA to distinguish legitimate collaboration from potential exfiltration.

17. Define shared security responsibilities in provider contracts

The contract is your primary assurance for service quality and incident remediation. Before signing, establish clarity on:

• The extent of the provider's liability for security failures
• Data storage locations, retention, and deletion policies
• Security measures protecting your data at rest and in transit
• Audit rights and independent assessment provisions on both sides
• Strategies for maintaining data confidentiality during and after the contract term

Negotiate terms you find unacceptable before finalizing, not after. The CSA Cloud Controls Matrix (CCM) v4.1 and its accompanying Consensus Assessments Initiative Questionnaire (CAIQ) provide a structured set of yes-or-no questions to verify how providers have implemented their side of the responsibility boundary.

18. Verify regulatory compliance obligations remain with your organization

Selecting a cloud provider doesn't transfer your compliance obligations. Your organization remains responsible for ensuring cloud-based applications continuously meet relevant regulations.

Choose providers that hold recognized certifications (ISO 27001, SOC 2) and consent to independent audits. Verify their certifications are current and that the scope of the certification covers the services you use.

19. Develop and test an incident response plan with your provider

Define shared security responsibilities, communication protocols, and escalation procedures in advance. The plan should specify exactly what the provider will deliver in response to an incident: logs, forensic support, timeline for notification, and scope of remediation.

Run regular training and simulations that include the provider's response team. Review the plan as the environment and threat landscape evolve, and update it after every significant incident or near-miss.

How Netwrix supports cloud security in hybrid environments

For security teams managing hybrid environments, the hardest part of cloud security isn't knowing what to do. It's maintaining visibility across two identity planes, classifying data before it drifts into the wrong place, and detecting behavioral anomalies that native tools miss. Netwrix addresses those three gaps directly.

Netwrix Auditor provides searchable, before-and-after audit trails for SharePoint Online, Exchange Online, Active Directory, and Entra ID. When a configuration change introduces risk or an access modification triggers a compliance concern, Auditor surfaces it with full context rather than requiring manual log correlation across multiple native consoles.

Netwrix Access Analyzer discovers and classifies sensitive data across file servers, SharePoint, and databases, then maps who has effective access to it. The Sensitive Data Discovery module identifies PII, financial data, and regulated information across structured and unstructured data stores, showing not just what permissions exist but what access those permissions actually grant.

Netwrix 1Secure delivers SaaS-based unified visibility across Active Directory, Entra ID, SharePoint Online, and Windows file servers. Risk dashboards surface excessive permissions, open access to sensitive data, and dormant accounts across the hybrid environment.

For organizations where identity governance spans both on-premises AD and Entra ID, 1Secure consolidates risk visibility into a single view.

Request a demo to see how Netwrix supports identity governance, data classification, and threat detection across your hybrid cloud environment.