Trends in cloud security from cloud to workloads

Recently, I had the privilege of hosting a roundtable discussion with some of the leading voices in cloud security to explore emerging trends, threats, and solutions in identity management. The full video of the panel discussion is available for viewers to dive deeper into the conversation. Here’s a breakdown of the key insights shared during our conversation.

[Full video:https://www.youtube.com/watch?v=T7TroTUMcjw]

The Identity Landscape: A Growing Challenge

One of the most striking revelations from our discussion was the sheer scale at which non-human identities (NHIs) are growing. These identities, often associated with service accounts, APIs, or background tasks, are proliferating exponentially. As Kat Traxler, Principal Security Researcher at Vectra AI, pointed out, “For every human identity, there are 50 non-human identities. This velocity increases the risk of misconfigurations and abuse.”

‍

James Berthoty, founder of Latio Tech, highlighted another layer of complexity: the fragmentation of identity systems. From SaaS applications to cloud services and Kubernetes clusters, identities span multiple platforms, each with its own management system. This lack of unification often leaves security teams scrambling to address risks in silos.

‍

Emerging Threats: Transitive Access Abuse

A key focus of our conversation was the issue of transitive access abuse. Kat shared insights from her recent research, which unveiled vulnerabilities in Google Cloud’s Service Agents—non-human identities configured by the cloud provider. “These are billed as benign agents operating in the background, but when manipulated, they can perform privileged tasks like data exfiltration without requiring direct access to the underlying resources,” she explained.

Watch Kat’s explanation of transitive access abuse at 3:01.

‍

James expanded on this, emphasizing how difficult it can be for CISOs to prioritize identity risks when the landscape is so fragmented. “The lack of unified tools across identity systems creates blind spots. Security engineers may focus deeply on Kubernetes, RBAC, or cloud permissions, but CISOs are left navigating a confusing mix of risks,” he noted.

See James discuss fragmented identity risks at 7:03.

‍

The Governance Gap: What CISOs and Security Engineers Need to Know

When discussing solutions, the conversation frequently circled back to governance. As Rami McCarthy, a cloud security expert and advisor, emphasized, “Identities span systems—cloud providers, SaaS applications, legacy infrastructure. Governance frameworks must break down these silos to address risk holistically. However, technology alone cannot solve the problem; collaboration across teams and processes is essential. Organizations must look at the velocity of identity growth and address lifecycle management systematically.”

Listen to Rami’s perspective on governance frameworks at 9:07.

‍

Srajan Gupta, a security engineering leader at Dave, added critical insights into the challenges of managing both human and non-human identities. “The fundamentals of identity management—such as zero trust and least privilege—apply equally to NHIs. However, we often neglect them, failing to perform periodic access reviews or enforce strict lifecycle management for service accounts and API keys,” he said.

Watch Srajan’s perspective on applying human identity principles to NHIs at 12:00.

‍

Key challenges include:

• Lifecycle Management: Stale or unused service accounts often become low-hanging fruit for attackers.
• Least Privilege: While widely regarded as a best practice, enforcing least privilege without disrupting workflows remains difficult.
• Tooling Fragmentation: Vendors typically address only specific slices of the problem, leaving organizations with gaps in their identity management strategy.

‍

Best Practices: Tackling the Identity Problem

Addressing the challenges of identity governance requires a combination of thoughtful strategy, governance, and automation. Here’s what our panelists recommend:

‍

1. Start with Inventory‍

Begin by creating a comprehensive inventory of all identities—human and non-human—across your ecosystem. As Srajan highlighted, “You can’t secure what you aren’t aware of. Start with understanding the scope of your identities.” Ensure this includes service accounts, API keys, and other non-human identities that often get overlooked.
Watch Srajan’s take on starting with inventory at 14:02.

‍

2. Adopt Just-in-Time (JIT) Access‍

Minimize standing privileges by granting permissions only when needed. “JIT access should be the default. It reduces risk without significantly increasing friction,” Srajan added.

‍

3. Leverage Permission Boundaries‍

Define boundaries that restrict what identities can access, preventing lateral movement during a breach. Kat added, “Managing access boundaries can significantly limit the blast radius of an incident, ensuring risks are contained.”
Watch Kat’s insights on managing blast radius at 6:03.

‍

4. Focus on Lifecycle Management‍

Ensure processes are in place to review and decommission unused or overprivileged accounts regularly. James stressed, “Outdated roles and default permissions can account for the majority of overprivileged identities. Cleaning these up provides quick wins with little effort.”

‍

5. Apply Ratchets and Levers‍

Rami introduced the concept of ratchets and levers for identity security:

• Ratchets: “One-way improvements that meaningfully increase your security baseline—like implementing just-in-time access or restricting unused services.”
• Levers: “Quick wins with high impact and low effort, such as identifying and cleaning up outdated permissions or roles.”

‍

6. Reduce the Blast Radius‍

Accept that compromise can happen and design systems to limit damage. Rami emphasized that a thoughtful approach is key here: “Reducing the blast radius involves combining segmentation, strong resource boundaries, and just-in-time access to minimize the impact of a breach. Organizations must balance security controls with operational needs to avoid friction while maintaining resilience.”

‍

7. Invest in Programmatic Solutions‍

Rami emphasized the importance of automation to address identity risks at scale: “Manual processes are no longer sustainable for large environments. Programmatic solutions—such as continuous monitoring and automated remediation—allow organizations to identify risks quickly and respond effectively.”
For organizations at scale, manual processes won’t suffice. Use automation to continuously monitor, detect, and remediate risks.

Check out the full panel discussion on best practices starting at 27:02.

‍

Moving Forward: The Future of Identity Governance

Identity management will remain a critical area of focus as cloud environments grow in complexity. While perfect security may be unattainable, incremental improvements can significantly reduce risk. As Kat succinctly put it, “We can’t least-privilege our way to perfection, but we can manage risk more effectively by addressing the fundamentals.”

Watch Kat’s closing thoughts on reducing risk at 34:02.

‍

For security practitioners and CISOs, the path forward involves not just adopting new tools but fostering collaboration across teams. Empathy, communication, and a willingness to iterate will be key to navigating this evolving landscape.

‍

This conversation underscored the importance of viewing identity governance not as a one-time project, but as an ongoing commitment. Whether you’re just beginning to address NHIs or refining your approach, the lessons from this discussion offer a practical roadmap for tackling one of cloud security’s most pressing challenges.