top of page

Cloud Security in 2025 Is Confident, But Not Comfortable

Despite 96% of security professionals expressing confidence in their cloud security strategies, Prowler’s newly released 2025 State of Cloud Security Report paints a far more nuanced picture—one where rapid innovation runs headlong into operational complexity, regulatory pressure, and a fast-evolving threat landscape.


Based on responses from 655 security leaders, the report reveals a duality: an industry confident in its trajectory but quietly contending with shadow IT, tool sprawl, and compliance shortfalls. With hybrid and multi-cloud strategies now the default, cloud security teams must not only manage risk—they must do so at scale, with speed, and without breaking the bank.


“The targeting of cloud services by threat actors is not surprising given the increasing reliance on cloud infrastructure,” said Patrick Tiquet, VP of Security & Architecture at Keeper Security. “Cloud environments present attractive targets due to the concentration of sensitive data and critical services… and organizations aren’t prepared for the new threat vectors.”

The Cloud Has Grown Up—And Gotten Complicated


Hybrid-cloud (64%) and multi-cloud (55%) deployments have become standard practice, while single-cloud environments are now the exception, not the rule (17%). This architectural complexity, while beneficial for flexibility and availability, has stretched traditional security models thin.


“As application modernization evolves towards a hybrid and multi-cloud world, standalone solutions no longer make sense,” explained Vincent Hwang, VP of Cloud Security at Fortinet. “Organizations need to adopt platform-oriented solutions… to future-proof their clouds and secure modernization efforts.”

Cloud-native technologies are surging, yet many security programs still rely on legacy tooling not built for the realities of distributed, ephemeral cloud assets. The result? Gaps—visible and invisible.


Open Source, Open Advantage


One of the most telling shifts: 88% of organizations are now using open cloud security tools. These aren't just hobbyist projects anymore—they’re fueling transformation. A staggering 86% of users report measurable security improvements from these tools, while 80% say they’ve slashed operational costs.


“Industry best practices are a great starting point,” noted Jamie Boote, Associate Principal Security Consultant at Black Duck. “But cloud-based assets create a different attack surface… They necessitate customized configuration and detailed knowledge of shared responsibility models.”

The report emphasizes that open source isn't merely a tactical win—it’s a strategic differentiator. With 83% of respondents saying it improved collaboration between security and IT, it’s as much a cultural shift as a technical one.


Automation: The New Security Workhorse


The average organization saves 19 hours per week through automation—a meaningful shift from manual, error-prone tasks to proactive risk mitigation. Yet 25% of teams still haven’t made the leap.


“With the right implementation, AI can significantly enhance visibility and threat detection,” said Nicole Carignan, SVP of Security & AI Strategy at Darktrace. “Agentless cloud solutions can reduce the complexity and costs associated with installing and maintaining agents… and streamline security deployment.”

Despite proven time savings, industries like manufacturing and logistics lag behind in automation adoption, remaining 88% more likely than average to rely on manual processes.


AI and Human Synergy


AI is already a core pillar of cloud defense for 79% of organizations, offering enhanced threat detection, identity analytics, and real-time incident response. But as AI becomes more sophisticated, so too must the humans behind it.


“Organizations should seek integrated solutions purpose-built for cloud data rather than trying to retrofit on-prem tools,” Carignan added. “Faced with limited resources, technology must augment the expertise they already have.”

Still, a warning: Overreliance on AI without strategic oversight could create new vulnerabilities. The most effective programs pair intelligent automation with skilled human judgment.


Compliance: The Achilles’ Heel


While 78% of companies follow frameworks like NIST, ISO 27001, or SOC 2, a startling 37% failed a compliance audit in the past year. This highlights a growing divide between aspiration and execution.


The top reasons? Lack of skilled personnel (32%), tool integration issues (34%), and budget constraints (35%). The solution? Invest smarter. The report finds that companies succeeding in compliance are investing 27% more than their peers this year.


“Organizations need consistent security, centralized visibility, and speed to response,” said Fortinet’s Hwang. “Consolidation is the biggest priority for CISOs today.”

Talent, Training, and Triage


Nearly half (45%) of respondents cite budget limitations as their biggest roadblock for the year ahead, followed closely by a lack of skilled talent (42%). While technologies like CNAPPs (Cloud-Native Application Protection Platforms) and CSPMs are helping fill some gaps, expertise remains critical.


“Cloud security is a multi-layered challenge that requires both strategic planning and operational excellence,” said Amit Zimerman, Co-founder and CPO at Oasis Security. “Offering specialized training and scenario-based certifications can ensure teams are equipped to handle real-world incidents.”

Zimerman also emphasized policy-based automation and orchestration tools as key levers for scaling response efforts and reducing human bottlenecks.


Identity, Visibility, and the Full Threat Picture


Identity misconfigurations continue to be a leading source of cloud breaches. AI-powered identity management and extended visibility into multi-cloud environments are becoming table stakes.


“You cannot protect what you cannot see,” said Darktrace’s Carignan. “Dynamic visibility into multi-cloud environments is essential… It’s not just about the cloud—it’s about understanding cross-domain identity threats holistically.”

The Path Forward


The organizations that succeed in 2025 won’t be those that spend the most—but those that adapt the fastest. The future of cloud security belongs to the few who can balance control with agility, openness with execution, and automation with accountability.


“This is no longer just a tooling problem,” said the report’s co-author Rajiv Taori. “It’s a strategic imperative.”

Laura Franzese, co-author and Prowler’s Head of Security Research, put it bluntly:


“Security can’t just be a cost center anymore. It has to be a driver of innovation, efficiency, and trust.”

In other words: the cloud isn’t getting simpler. But with the right strategy, it can still be secure.

bottom of page