News

Report: Cloud Complexity Outpaces Security Defenses as Multi-Cloud Becomes the Norm

• By David Ramel
• 01/27/2026

The 2026 Cloud Security Report from Fortinet finds that cloud security teams are struggling less with whether they can secure the cloud and more with whether they can keep up with it.

Based on a survey of 1,163 security leaders and practitioners, the "2026 Cloud Security Trends: Closing the Cloud Complexity Gap" report shows that most organizations are operating across hybrid and multi-cloud environments, yet nearly two-thirds lack confidence in their ability to detect and respond to cloud threats in real time. The data points to a widening gap between the speed and complexity of modern cloud environments and the human-led security processes still used to defend them.

That framing represents a shift from a similar 2025 report, "2025 Global Threat Landscape Report," which emphasized security and compliance as the primary barriers to cloud adoption (see "Cloud Security Threats Expand Beyond Misconfigured Storage Buckets: Report"). In that earlier report, concerns centered on meeting regulatory requirements, protecting sensitive data, and building sufficient governance as organizations expanded their use of hybrid and multi-cloud architectures. While those concerns remain present, the 2026 report reframes the problem as operational rather than transitional, describing cloud complexity as a permanent condition rather than a growing pain.

In the 2026 survey, identity and access security ranks as the top cloud-native risk, cited by 77% of respondents, followed by misconfigured cloud services at 70% and data exposure risks at 66%. Separately, 69% say tool sprawl and visibility gaps are the biggest barriers limiting cloud security effectiveness, reflecting the operational strain created by managing disconnected security controls across multiple cloud providers.

Multi-Cloud as the Default Operating Model
The report confirms that hybrid and multi-cloud architectures are now the norm rather than an intermediate phase. Eighty-eight percent of organizations say they operate across hybrid or multi-cloud environments, with 81% relying on two or more cloud providers to run critical workloads. As cloud environments expand, assets, identities, and configurations change continuously, increasing the attack surface and making consistent visibility more difficult to maintain.

This complexity directly affects detection confidence. Sixty-six percent of respondents say they lack strong confidence in their organization’s ability to detect and respond to cloud threats in real time, up from 64% in the prior year’s similar survey. The report attributes this erosion of confidence to fragmented visibility across cloud platforms, identity systems, and security tools that were not designed to work together.

Investment Rises, Maturity Lags
Cloud security spending continues to increase, but the report finds that higher budgets are not translating into proportional maturity gains. Sixty-two percent of organizations expect their cloud security budgets to increase over the next 12 months, with cloud security accounting for an average of 34% of total IT security spending. Despite that investment, 59% still rate their cloud security posture at the two lowest levels on a five-stage maturity scale.

According to the report, much of this investment is absorbed by the operational overhead of managing disconnected tools rather than by improvements in visibility or response. Each additional platform introduces new consoles, integration work, and alert streams, adding friction for teams that are already stretched thin.

Identity, Configuration, and Data Form the Primary Exposure Chain
The new report repeatedly emphasizes that cloud security incidents rarely involve a single control failure. Instead, attackers exploit chains of exposure that combine misconfigurations, excessive permissions, and access to sensitive data. While many organizations deploy separate tools to manage posture, identity, and data security, the report finds that these domains are often monitored in isolation, allowing attack paths to become visible only after an incident occurs.

This exposure-chain model reflects a shift from last year’s emphasis on platform consolidation as a simplification strategy. In 2026, consolidation is positioned as a way to restore shared context across security domains rather than simply reduce the number of tools in use.

Automation Stops Short of Remediation
Although most organizations have introduced some form of automation into cloud security workflows, the report finds that automation remains largely alert-driven. Thirty-seven percent describe their automation as focused on notifications and recommendations, while only 11% report fully autonomous remediation capabilities. The report notes that without shared visibility and trusted context, organizations are reluctant to allow automated systems to take action, even as attackers increasingly operate at machine speed.

From Adoption Challenges to Operational Reality
Taken together, the findings suggest that cloud security concerns have evolved from adoption-focused challenges to structural operational risks. While the 2025 report highlighted security and compliance as obstacles to cloud expansion, the 2026 report presents a picture of organizations grappling with identity sprawl, fragmented visibility, and human-paced defenses in environments that change continuously. The shift reflects a maturing cloud landscape where complexity itself has become the dominant security concern.