Cloud security used to be a network conversation. Increasingly, it is an identity conversation. The threats that hurt most modern cloud environments do not involve clever exploitation of software flaws. They involve abuse of identity systems, often through legitimate-looking sign-ins that satisfy every protective control on paper.
Token Theft Has Replaced Password Theft
MFA pushed simple password theft into the past, but adversary-in-the-middle phishing kits now steal session tokens directly. From the cloud platform’s perspective, the resulting session looks exactly like the legitimate user signing in successfully.
Service Principals and Managed Identities
Beyond user accounts, cloud environments rely heavily on non-interactive identities. These identities often hold significant privileges, rarely change credentials, and operate without the human-facing controls that protect users.
Cross-Tenant and Cross-Account Trust
Trust relationships between tenants, accounts, and organisations multiply the attack surface in ways that are easy to miss. A guest account in your Azure tenant brings the trust model of a different organisation.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
“The cloud identity findings I report most often involve service accounts that have accumulated permissions over years. Combined, they produce a service principal that effectively has god-mode in the tenant.”
Consent Phishing Has Quietly Grown
An attacker no longer needs to steal credentials if they can persuade a user to grant their malicious application broad permissions. Consent phishing presents a legitimate-looking OAuth prompt, the user clicks through without reading carefully.
Privilege Escalation Through Identity
Cloud privilege escalation often runs through identity rather than software flaws. A user with permission to assume a more privileged role, attach policies, or modify a service principal can quickly turn limited access into broad access.
Building a Resilient Identity Posture
Audit privileged identities regularly, restrict consent grants, implement just-in-time access for elevated roles, enforce phish-resistant authentication for administrators, and monitor the patterns above continuously.