Expert Maps Identity Risk and Multi-Cloud Complexity to Evolving Cloud Threats -- Virtualization Review

Expert Maps Identity Risk and Multi-Cloud Complexity to Evolving Cloud Threats

By David Ramel
02/20/2026

Cloud security is shifting from perimeter defense to identity, configuration and visibility challenges. As hybrid and multi-cloud adoption expands, so does the attack surface, with misconfigurations, excessive permissions and cross-platform blind spots creating new exposure points. At the same time, threat actors are accelerating attacks through automation and AI-assisted techniques, forcing organizations to rethink how they secure distributed environments.

Nick Cavalancia, CEO of Conversational Geek and a four-time Microsoft MVP, explored those themes in a session titled "Expert Guide: Defending Against Evolving Cloud Threat Vectors" in a free, online Virtualization & Cloud Review tech education summit held today, being made available for replay thanks to the sponsor, Wiz.

"Identity has replaced the perimeter entirely."

Nick Cavalancia, CEO of Conversational Geek

Cavalancia began by noting that cloud adoption has fundamentally altered traditional security boundaries. With 88 percent of organizations now operating in hybrid or multi-cloud environments, the hardened network edge is no longer the primary control point. Instead, identity and privilege determine access across distributed systems.

He outlined four major threat vectors shaping the modern cloud landscape: misconfigurations, identity risk, vulnerable workloads and multi-cloud complexity. Discussing identity risk specifically, he underscored how central privilege is to modern attacks, saying, "If you don't have identity, you don't have identity, you don't have privilege, you don't have privilege, you don't have a threat." Excessive permissions and credential abuse create privilege escalation paths once access is obtained.

On service accounts in particular, he warned that many environments leave them untouched for years. "Service Accounts tend to still be one of those aspects of our environments that are definitely have been set and forget it from 10 years ago." Long-lived credentials tied to backup systems or automation tools can become attractive targets if not rotated or monitored.

Multi-cloud deployments introduce additional complexity, especially around maintaining consistent oversight across providers. During the live Q&A, when asked about the biggest mistake organizations make in securing multi-cloud environments, Cavalancia answered bluntly: "The biggest mistake is lack of visibility."

From there, the focus shifted from threats to what organizations can do in response.

Defense Strategy: Fix Misconfigurations
Cavalancia emphasized that security cannot be a one-time configuration exercise. "It's not enough to set it once." Secure defaults must be reviewed critically, not assumed sufficient. Continuous validation is required to ensure new platform updates or configuration changes do not introduce unintended exposure.

Automated remediation, where possible, can help enforce policy consistency. "Automatic remediation is really important." If configurations drift from approved baselines, controls should either alert teams immediately or revert changes automatically. The goal, he suggested, is to treat configuration management as an ongoing operational discipline.

Defense Strategy: Reduce Attack Paths
Reducing exploitable attack paths requires prioritizing risk based on business impact. Rather than attempting to address every vulnerability equally, organizations should identify which exposures would cause the greatest operational or financial harm and focus there first.

This includes minimizing unnecessary privileges, reviewing trust relationships and limiting lateral movement opportunities across cloud services. Continuous improvement, supported by regular measurement and reassessment, helps ensure that defenses evolve alongside the environment.

Defense Strategy: Protect Workloads
Workload protection requires continuous scanning and timely patching. Where patches are unavailable, compensating controls -- such as isolating affected systems or restricting access -- can reduce exposure.

Containerized environments introduce additional configuration considerations, reinforcing the need for consistent validation across infrastructure and application layers.

Futureproofing the Defense Strategy
Looking ahead, Cavalancia argued that security must be built around continuous monitoring and identity-first principles. "Continuous monitoring, continuous validation, continuous improvement, maybe we should just have the word continuous here," he said.

He also cautioned that AI-assisted attacks are already influencing the threat landscape, noting that "90% of the decisions being made by that attack were done solely by AI, no human intervention whatsoever." Cross-cloud attack paths, particularly those leveraging federated identity relationships, may further complicate defense efforts as organizations expand their cloud footprints.

**[Click on image for larger view.]** Futureproofing Your Defense Strategy *(source: Nick Cavalancia).*

The overarching message: modern cloud security depends on sustained visibility, disciplined identity governance and operationalized validation processes rather than static controls.

And More
Cavalancia also shared much more of his expertise, examining emerging threats and practical defense strategies, which can be seen in the on-demand replay. While replays are fine, especially if timely (this was just today, after all), one of the best things about attending such online education summits and events is the ability to answer questions from the presenters, a rare opportunity for expert, real-world, one-on-one advice (not to mention the chance to win a great prize, in this case a $300 Target gift card, provided by sponsor Wiz, which also presented a session). With that in mind, upcoming Virtualization & Cloud Review webcasts and virtual events can be found on the publication's webcast listing page here.

Here are some coming up soon from us and our parent company.