The most consistent finding across 2025 cloud security research is also the least surprising. The Wiz Cloud Threat Retrospective 2026 attributes roughly 80% of documented cloud intrusions to well-known weaknesses — vulnerabilities, exposed secrets, and misconfigurations. Mandiant's M-Trends 2025 places exploits at 33% of initial access and stolen credentials at 16% — most of it preventable with mature configuration discipline.
The implication for any Malaysian organisation operating in the cloud is uncomfortable. Most breaches are not caused by sophisticated attackers — they are caused by routine hygiene gaps that a properly run security programme would have closed. This article is the practical assessment and defence framework that closes those gaps.
The four cloud attack vectors that matter
Filtering 2025 incident data, the dominant attack vectors converge on four categories:
1. Misconfigurations
Open S3 buckets. Public-facing databases. Overprivileged IAM roles. Default credentials. Permissive security groups. The classic cloud misconfigurations remain the largest single category of cloud incidents in 2025. The Cloud Security Alliance's Top Threats 2025 report documents this consistently.
2. Exposed secrets
API keys committed to public repositories. Tokens hardcoded in container images. Cloud credentials in CI/CD logs. Service account JSON files in S3 buckets. Wiz reports 29% of cloud environments contain exposed assets with personally identifiable information; the fraction with exposed credentials is similar. Secret scanning is mature technology — the failure is almost always organisational discipline, not tool capability.
3. Unpatched vulnerabilities
Particularly in container base images, third-party libraries, and self-managed infrastructure. The patching velocity required for cloud environments is now measured in hours for critical CVEs, not days. Most organisations are still running on monthly patching cycles — wide enough for opportunistic attackers to weaponise public exploits before patches land.
4. Identity attacks
The fastest-growing category. Stolen OAuth tokens, abused refresh tokens, and lateral movement through federated identity providers. Identity is the new perimeter, and the perimeter has been comprehensively under-monitored in most organisations. Mandiant's M-Trends 2025 places stolen credentials at 16% of initial access — more than doubled from prior years.
The assessment framework
An effective cloud attack surface assessment covers six dimensions. Each should produce concrete findings, not pass/fail tick boxes.
1. External attack surface
Continuously enumerate all public-facing assets — IP ranges, domains, exposed services, certificates, and forgotten resources from past projects. Match against your asset inventory. The gap between what is exposed and what is documented is your shadow attack surface.
2. Configuration posture
CSPM (Cloud Security Posture Management) covering all cloud accounts, all services, against a documented baseline. Flag drift from baseline as findings. Common high-value baselines: CIS Benchmarks, AWS Foundational Security Best Practices, Azure Security Benchmark.
3. Identity & access
CIEM (Cloud Infrastructure Entitlement Management) to surface overprivileged identities, unused permissions, and toxic combinations. The principle of least privilege is impossible to maintain manually at cloud scale; CIEM tooling makes it tractable.
4. Secrets & credentials
Continuous scanning of code repositories, container registries, CI/CD logs, and cloud storage for exposed secrets. Combined with a rotation policy and a vaulting standard for new secrets.
5. Vulnerability management
Container image scanning, dependency analysis, and exposed-service vulnerability assessment. With a patching SLA of hours-to-days for critical CVEs, not weeks.
6. Detection & response
Cloud-native logging (CloudTrail, Azure Activity Logs, GCP Audit Logs) feeding a SIEM with cloud-aware detection rules. Identity event correlation. Anomaly detection for cloud API usage patterns.
The Malaysian regulatory context
The November 2025 revision of Bank Negara Malaysia's RMiT tightened the cloud governance requirements for financial institutions specifically — explicit accountability under shared-responsibility models, stricter due diligence on cloud service providers, and stronger requirements around cloud security assessment cadence and quality.
For non-FIs, RMiT does not directly apply, but increasingly informs procurement standards across regulated sectors. PDPA's data residency and lawful processing requirements layer on top, particularly for any organisation handling personal data in cloud environments.
Practical action plan
- Run a baseline assessment against the six-dimension framework above, even if informally. Identify the largest gaps.
- Prioritise the dimensions with both high attack frequency (misconfigurations, secrets) and low cost to remediate.
- Implement continuous monitoring rather than point-in-time assessment. Cloud changes too fast for quarterly assessments to be sufficient.
- Map your detection coverage to MITRE ATT&CK Cloud techniques specifically. The cloud TTPs differ from on-prem in important ways.
- Treat AI workflows running in your cloud environment as part of the attack surface — they are increasingly targeted in 2026 incidents.
For Malaysian organisations needing structured training on cloud attack surface assessment with regulatory alignment, our AI Agentic Security programme covers the full framework hands-on, HRDC SBL-KHAS claimable for eligible employers.
