HOW-TO GUIDE | CLOUD SECURITY
Updated 13 min read

Cloud Migration Security Gaps: The 7 Predictable Failures and How to Catch Them Before They Become Breaches

82%
Organizations that experienced a cloud security incident in 2025
19%
Cloud breaches attributed to storage bucket misconfiguration
197 days
Average time to detect a cloud misconfiguration
75%
Year-over-year increase in cloud attacks per CISA 2025

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Most cloud migration security failures are not caused by attackers finding novel vulnerabilities in cloud infrastructure. They are caused by configurations that were correct at go-live and became incorrect afterward. The pattern repeats: security teams build a hardened landing zone, document the baseline configuration, hand off to DevOps, and return 90 days later to find the environment has drifted. Temporary security group rules became permanent. Service account keys created for a migration script were never rotated or deleted. An S3 bucket that was private during testing was made public for a quick data transfer and never returned to private. The 82% cloud security incident rate in 2025 is not primarily a failure of cloud security tooling. It is a failure of operational handoff. The 7 gaps documented here are predictable because they follow the same structural causes: temporary configurations that outlive their purpose, handoff points where security context is not transferred, and governance processes that cover initial setup but not ongoing drift.

The 7 Gaps and Why They Recur

Each of the following gaps has a structural cause that makes it likely to recur regardless of team competency. The detection logic and governance gate for each addresses the structural cause, not just the symptom.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The Migration Security Runbook Gate Checklist

The following checklist should be embedded as a required gate in your migration runbook. No migration may proceed to production go-live without all items verified.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The 90-Day Post-Migration Review Process

Most migration security gaps materialize within 90 days of go-live. A structured 90-day review catches drift before it becomes a breach. The review is not a full security audit; it is a focused check on the 7 known failure modes.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The 197-day average time to detect a cloud misconfiguration is not a detection tool failure. It is a governance failure. CSPM tools can detect public storage buckets within minutes of creation. The gap is between the alert firing and anyone acting on it. The migration security runbook gate and the 90-day review process do not require new tooling; they require that the tooling organizations already have is connected to processes with accountability. The 7 gaps in this guide account for a disproportionate share of post-migration incidents precisely because they are predictable and preventable. Predictable failures that continue to occur are process failures, not knowledge failures.

Frequently asked questions

What is the most common cause of cloud security incidents in 2025?

According to Wiz's 2025 Cloud Security Report, storage bucket misconfigurations account for 19% of cloud breaches, making them the single most common specific cause. More broadly, identity and access misconfigurations (overprivileged service accounts, federated role misconfigurations, unused access keys) account for the majority of cloud breach root causes when aggregated. CISA reported a 75% year-over-year increase in cloud attacks in 2025, driven primarily by exploitation of misconfigured identity and storage resources.

What is a CSPM tool and do we need one for cloud migration?

Cloud Security Posture Management (CSPM) tools continuously scan cloud environments for misconfigurations against security benchmarks such as CIS Cloud Benchmarks, NIST CSF, and vendor security best practices. Major options include Wiz, Orca Security, Prisma Cloud, and Microsoft Defender for Cloud (included with Azure subscriptions). For migration projects, CSPM is the primary detection mechanism for 5 of the 7 gaps described in this guide. Cloud-native alternatives include AWS Security Hub with Config rules and Azure Security Center, which are free within their respective platforms and sufficient for organizations with single-cloud environments.

How long does it typically take to detect a cloud misconfiguration?

Wiz's 2025 research found the average time to detect a cloud misconfiguration is 197 days. This is not a reflection of detection tool latency; CSPM tools detect misconfigurations within minutes of creation. The 197-day figure reflects the time between the alert firing and the organization taking action, which is driven by alert fatigue, unclear ownership of cloud security findings, and the absence of an SLA for misconfiguration remediation. Organizations with mature CSPM programs and defined remediation SLAs typically close critical misconfigurations within 48-72 hours.

What is the difference between a drift failure and a setup failure in cloud security?

A setup failure occurs when a resource is misconfigured during initial deployment. A drift failure occurs when a resource is configured correctly at deployment and becomes misconfigured later due to operational changes. Setup failures are caught by pre-deployment security review and infrastructure-as-code scanning (Checkov, tfsec, Snyk IaC). Drift failures require continuous monitoring via CSPM because they occur after deployment. The 7 gaps in this guide are predominantly drift failures, which is why point-in-time security review of the migration landing zone is insufficient protection.

What should be included in the handoff from security to DevOps after a cloud migration?

The handoff documentation should include: the security baseline configuration for the environment, the CSPM tool and alert triage process, the temporary-resource cleanup schedule with specific dates and responsible parties, the logging configuration and where logs are sent, the encryption key management process including rotation schedules, the identity and federation configuration with the documented role-to-permission mapping, and the security team contact for questions. A 60-minute briefing with sign-off from both teams is required to ensure the handoff is understood, not just delivered.

How should we handle legacy applications that require legacy authentication protocols in the cloud?

Legacy applications requiring protocols such as NTLM, basic authentication over HTTP, or TLS 1.0/1.1 should not be migrated as-is to cloud production environments without a remediation timeline. The recommended approach is: enable the legacy protocol in a time-limited exception with a documented application modernization date, ensure the exception is logged and monitored for abuse, and schedule re-evaluation at the modernization date. If the application cannot be modernized, isolate it in a dedicated network segment with compensating controls rather than allowing legacy protocol traffic in the general cloud environment.

How does Infrastructure as Code reduce cloud migration security risk?

Infrastructure as Code (IaC) tools such as Terraform, CloudFormation, and Pulumi reduce migration security risk in two ways. First, they allow security review of configuration before deployment using static analysis tools (Checkov, tfsec) that catch misconfigurations at the code level. Second, they create an authoritative record of intended configuration that enables drift detection: any manual change to the live environment that diverges from the IaC state is detectable. Organizations using IaC consistently show lower rates of the configuration drift that drives the 7 migration gaps, because any deviation from the intended state is visible in the IaC diff.

Sources & references

  1. Wiz Cloud Security Report 2025
  2. CISA Cloud Security Technical Reference Architecture
  3. CrowdStrike 2025 Global Threat Report
  4. AWS Security Best Practices

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.