With organisations migrating more workloads and data onto hybrid and multi-cloud environments, and as AI-led security threats continue to increase, IT infrastructures are quickly becoming even more complex and harder to secure.
If these emerging risks are not recognised, the new tech environment can lead to significant cyber vulnerabilities. If the fundamentals of cloud security are not addressed, including a failure to manage identity-based threats and bridge the internal expertise gap, the risks will be further exacerbated.
What’s driving these new threats? How can APAC organisations build the right security posture? What are the practical steps they can take? iTNews Asia discusses these issues with Liat Hayun, Senior Vice President of Product and Research at Tenable Cloud Security.
iTNews Asia: Organisations today face an attack surface that’s growing in size and complexity. What’s driving this, and why is it getting harder to manage?
Our latest State of Cloud and AI Security 2025 report, in collaboration with the Cloud Security Alliance, found that 82 percent of organisations now run hybrid environments and 63 percent rely on multiple cloud providers. Each provider, API, SaaS platform, and microservice adds its own policies and tools, causing visibility to fragment rapidly.
Companies adopted the cloud to gain speed and flexibility. However, as workloads spread, security teams are left managing a mix of non-integrated point tools, which inevitably creates gaps. Those blind spots are precisely what attackers exploit.
This problem is exponentially exacerbated when organisations adopt AI. The race to deploy models introduces critical new risks by aggregating massive, sensitive datasets into high-value targets. It deepens fragmentation by adding another set of non-integrated MLOps tools, creating new blind spots for security.
Attackers now exploit novel, AI-specific techniques, such as prompt injection, that traditional tools cannot detect, while the rush to innovate leads to "Shadow AI," repeating the same reactive security mistakes made during the initial cloud migration.
The report's key finding is that while cloud adoption is strategic, security planning has been reactive. Complexity has become the price of agility. The clear mandate now is for organisations to simplify how they see and manage this fragmented risk.
iTNews Asia: With more companies embedding AI into their IT and cloud systems, has this made their environments more vulnerable?
AI has certainly introduced new risks. According to the same Tenable report, over half of organisations are already using AI for business workloads, and a third of those have experienced an AI-related breach.
Critically, most of these breaches weren't caused by sophisticated "AI attacks." They stemmed from fundamental, pre-existing problems such as misconfigured cloud resources, excessive permissions, and poor identity hygiene.
The difference is that AI acts as an accelerant. It amplifies data sharing, automation, and access to sensitive information. This means old, unpatched weaknesses now have far greater and more immediate consequences.
iTNews Asia: From your perspective, are organisations in the Asia-Pacific planning adequately for the cloud era? How does the region compare globally?
APAC has made incredible progress in cloud adoption, but many organisations here are still in the early stages of building a cohesive cloud strategy. Our Tenable–CSA research shows that while enterprises in North America and Europe are moving toward risk-based cloud programs, APAC organisations tend to focus first on deployment speed and cost efficiency.
This isn’t a lack of awareness but a reflection of the region’s rapid digitalisation.
Governments and enterprises are adopting cloud at a record pace, but in many cases, security and governance come after implementation. As a result, visibility is fragmented, and leadership support for long-term risk planning is limited.
The next phase for APAC organisations isn’t about adopting more cloud services; it’s about integrating what already exists and ensuring that teams, policies, and metrics align under a single security vision.
To secure AI, you need to strengthen the foundations: identity, access, and data protection. Without that, AI systems can amplify the very risks they were meant to help control.
iTNews Asia: Your 2025 survey points out that identity-related risks are now the leading cause of cloud breaches. Why are organisations still struggling to fix this? Is it mainly due to the lack of expertise?
Identity has become the cloud’s primary weak point because it sits at the intersection of people, systems, and processes, yet no single team fully owns it. AI agents and services add more non-human identities to this mix. The report validates this, revealing that six in 10 of respondents view insecure identities and risky permissions as their top concern, and three of the top four breach causes were identity-related.
The ownership gap is often organisational. Nearly one-third of organisations reported poor alignment between their IAM and cloud security teams. That means policies are inconsistent across environments, and access permissions aren’t reviewed as often as they should be.
While the skills gap certainly exacerbates this, the fundamental problem is organisational. Identity is often treated as an IT task, not a shared business risk. Until leadership starts treating identity as a core part of cyber resilience, these weaknesses will continue to appear in every audit and incident report.
- Liat Hayun, Senior Vice President of Product and Research, Tenable Cloud Security
iTNews Asia: Given these challenges, what are some practical ways organisations can manage risk more effectively?
This year’s Cybersecurity Awareness Month theme “Cyberspace: Of Starbursts, Black Holes, and Last Frontiers”, captures how rapidly expanding digital ecosystems have created both immense opportunities and unseen risks. It’s a fitting reminder that securing the ‘last frontiers’ of cloud and AI requires not just compliance, but continuous visibility, governance, and measurable resilience.
The report calls for a reset in how organisations think about cloud and AI security. It starts with visibility because organisations cannot manage what they cannot see. Security teams need a single view of exposure across all environments. That’s where exposure management comes in, giving teams the ability to prioritise and respond based on real risk to the business.
Next, identity governance has to evolve. Enforce least privilege as a default setting, remove unused credentials, and apply the same discipline to service accounts and bots as you would to employees.
Measurement also needs to change. Many companies still judge success by the number of incidents detected, but that’s a reactive approach. Focus on prevention metrics such as how quickly vulnerabilities are resolved or how much exposure has been reduced.
Finally, for AI, compliance should be treated as a baseline. True security comes from technical safeguards, such as encrypted data flows, regular model testing, and secure MLOps processes. These are practical, achievable steps that reduce real risk.
iTNews Asia: The cybersecurity talent shortage is a long-running issue and challenge. How much does this affect hybrid and multi-cloud adoption in Southeast Asia?
Many organisations are trying to do more with smaller teams that are spread thin. Without sufficient expertise, it becomes challenging to design consistent security policies or accurately interpret the data generated by these systems.
The solution isn’t just hiring; it’s building capability. This is where AI presents a significant opportunity. Investing in training, partnerships, and AI-driven automation can go a long way in enhancing productivity. Exposure management platforms, for instance, often leverage AI to allow smaller teams to prioritise and address the most critical risks efficiently.
The goal is to empower people with the right tools and AI-generated insights, enabling them to manage complex environments effectively without burning out.
