Migrating to the cloud isn’t just about packing up your belongings and moving them to a new neighborhood. It’s a complex journey, fraught with potential security lapses. While the promise of agility, scalability, and cost-effectiveness of the cloud is alluring, a stumble during migration can expose organizations to significant cyber risk.

From data breaches to compliance nightmares, the potential fallout can have a lasting impact on business continuity. As businesses continue to embrace cloud-first strategies, understanding and mitigating some common security lapses is more critical than ever.

Why security lapses occur and how they hurt organizations

Cybersecurity incidents during cloud migration are a real headache for organizations. According to a 2025 DSCI study, a staggering 62% of cyberattacks in India happened in the cloud, underscoring the shift in attack surfaces. This makes it vital to prioritize cybersecurity while migrating to the cloud. Several recurring security lapses plague cloud migrations, often stemming from a mix of oversight, misunderstanding and a dash of “set it and forget it” mentality. Let’s take a look at what these security lapses are and why they are plaguing the cloud.

Misconfigurations: Cloud misconfigurations are the common cause of data breaches. Tenable’s Cloud Security Risk report shows that 77% of organizations setting up Vertex AI Workbench in Google Cloud misconfigure at least one notebook with an overprivileged default service account. Misconfigurations in the cloud can range from publicly exposed storage buckets, which are like leaving your front door wide open, to overly permissive users, offering a free pass to sensitive data. These blunders often occur due to a lack of familiarity with cloud-native tooling, a rushed migration strategy, or simply not having enough skilled hands on deck. When teams are under the gun to get to the cloud, corners get cut, and security often takes a back seat.

Inadequate identity security: Poorly managed identity and access management is a ticking time bomb. Overprivileged accounts, insufficient access mechanisms, and inconsistent policy enforcement during the migration can lead to unauthorized access and insider threats. A recent IBM study revealed that data breaches often involve compromised or misused privileged credentials and phishing, with an 89% increase in such attacks in 2025.

Unsecured secrets: In today’s cloud environment,s these include API keys, access keys, encryption keys and tokens in addition to traditional usernames and passwords. These types of credentials are used for diverse needs across cloud infrastructure, web applications, development pipelines (CI/CD) and databases. While migrating to the cloud, these crucial secrets may end up in publicly accessible storage buckets. This could be because developers intend to use privileged accounts for short-term use but frequently forget about them, and they eventually become permanent. Other factors include inadequate monitoring and even the false belief that obscure storage bucket URLs provide sufficient protection.

Shadow IT and visibility gaps: As workloads shift to the cloud, organizations can sometimes lose a handle on what’s where, especially in multi-cloud environments. According to CSA, 63% of organizations report external data oversharing, and 56% say employees upload sensitive data to unauthorized SaaS apps, often without sufficient visibility or enforcement. This lack of visibility creates “shadow IT” where unapproved cloud services or applications are used, opening up new, unmonitored attack vectors. It’s hard to protect what you don’t even know you have.

Misunderstanding shared responsibility: Many organizations mistakenly believe their cloud provider handles everything, leading to a dangerous over-delegation of responsibility. This misconception can be damaging for the organization, as most breaches are attributed to customer misconfigurations, not CSP failures. For instance, while a CSP ensures the physical security of data centers, the customer is responsible for configuring network controls, managing user access, encrypting data, and securing their applications.

Mitigating risks, becoming resilient

Securing cloud environments begins even before migrating to the cloud. Organizations migrating to the cloud often face cybersecurity challenges due to missteps in planning, execution, or ongoing management. Here are strategies to strengthen security.

Pre-migration strategies: Cyber risk is business risk, making it important to conduct a comprehensive risk assessment to identify security gaps and vulnerabilities. Classify data and workloads by sensitivity and compliance requirements. Get cybersecurity teams involved while choosing a cloud service provider. This ensures all risks associated with cloud computing are addressed before making the move. It goes a long way in preventing breaches that are expensive. Choose a cloud provider that aligns with your security and regulatory needs. Develop a detailed mitigation plan with well-defined security goals and policies. Implement robust IAM policies to secure human and non-human identities. Perform regular security audits and establish disaster recovery plans.

Post-migration strategies: Continuously monitor for public access, including by third-parties. Automate detection of misconfigured storage services, and enforce the least-privilege model to ensure sensitive data isn’t publicly exposed. Use exposure management tools to map complex asset, identity and risk relationships across hybrid environments to spot and prioritize cross-cloud attack paths. Secrets management has to become the top priority. Major cloud service providers offer mature, native secrets management tools that integrate easily with their identity and access management frameworks. Use these tools to enforce least privilege, minimize sprawl and improve auditability. Leverage cloud native application protection platforms. These help correlate identity, vulnerability and network configuration data across the entire cloud stack to uncover toxic cloud trilogies, or risky combinations that expose sensitive data and cloud infrastructure.

Successfully navigating a cloud migration and avoiding security lapses requires a proactive, “security-first” mindset. This means thorough planning, continuous monitoring, investing in the right tools and training, and critically, a crystal-clear understanding of the shared responsibility model. Don’t leave your cloud security to chance. Otherwise, you might find yourself in a world of hurt.

This article is written by Rajnish Gupta, Managing Director & Country Manager, Tenable India.