Cloud security is a mess and companies don't care

2025-04-09

Every week, I spend some time looking at the absolute basics of companies' cloud security: Are they leaving cloud storage unlocked? Are there any open databases exposing sensitive data?

Five years on, it's shocking to me how little companies seem to care about their cloud security posture. Every week, I find 10-20 US- or Europe-based companies which expose some form of sensitive data. This includes mid-market multinationals with employees across the world.

And the data that's being exposed is absolutely ridiculous: Internal emails, invoices, shipping labels, bank statements(!). It's not that I'm surprised it's out there. I'm more surprised about the fact that years later, after what feels like everyone shouting from the rooftops to take cloud security seriously, a lot of companies are still lacking the basics.

Notifying these companies does little. Most seem to ignore attempts to reach out. Unsurprisingly, the affected companies also don't have a dedicated security contact, if they even have a CTO in the first place.

Of course, in some instances, it simply doesn't matter whether the cloud storage is public or not. For example, if the entire cloud storage consists of publicly available stock photos. Unfortunately, I've also started noticing a different pattern: An intentionally public cloud storage is used for stock photos, but later on, because it's convenient, the storage simply gets re-used for sensitive data.

This is why I put a special emphasis on cloud security when advising companies on their security and compliance posture. Remember, cloud storage is not public by default. The most common reason I see for changing that is sheer laziness; it's simply easier to develop on multiple machines if there's no pesky authorisation or authentication necessary to access the cloud storage. The production system simply follows the same pattern.

There's simply no excuse for taking such shortcuts. In 2025, your cloud storage should be secure by default.

Yours,
Søren

P.S. Unsure if your cloud security is up to spec? Need an expert to review your posture and give you actionable recommendations for next steps? Book an audit today.

Want to get articles like these in your inbox every week?

Delivered straight to your inbox every Wednesday.