Cloud security still gets framed as a configuration problem: open storage, overly permissive security groups, the usual “how did this bucket become public?” postmortem.

That’s not wrong. It’s just not the interesting part anymore.

The incidents that really hurt tend to be runtime stories: stolen credentials, abused roles, compromised workloads, and quiet data access through legitimate APIs. In cloud environments, the control plane is the battlefield. And the control plane speaks identity.

The reason runtime matters is that attackers don’t need to crash anything to win. If they can borrow a valid identity—through phishing, token theft, compromised CI, leaked keys—they can operate like an internal system. Enumerate resources. Create new access paths. Read data in ways that look like business as usual. Exfiltrate slowly. Persist quietly. No malware required.

So the architectural question shifts from “did we configure it correctly?” to “what happens when one identity is compromised?”

Containment in cloud is largely about permission design and blast radius. If a single workload identity can read half your data lake, compromise becomes catastrophic by default. If identities are scoped to narrow functions and resources, compromise becomes containable by design.

The second layer is exfiltration resistance. Organisations often instrument networks heavily but treat data access as an application detail. In cloud incidents, data access is the signal. Unusual bulk reads, new export jobs, query patterns that don’t match the user’s history, access from strange geographies, or sudden entitlement changes are often the first meaningful signs of real impact.

This is where “assume breach” stops being a slogan and becomes architecture. Segment environments and sensitive workloads with strong boundaries. Make privilege escalation difficult. Lock down cross-account trust. Monitor entitlement changes as first-class events. Treat outbound paths as part of the security boundary. Build the ability to revoke credentials quickly without breaking everything.

Cloud breaches are often less dramatic than people expect. They look like normal operations until you line them up with intent. That’s why the win condition isn’t perfection. It’s early detection and fast containment.