Following the rise of the cloud, securing said cloud has become a hot topic. It has turned out to be a unique discipline with its own challenges, but why? What makes it different from IT security in general? We’ll be delving into this in a roundtable discussion with experts from Conscia, PQR, Tesorion, Thales, and Upwind Security.
Cloud security in 2025 is not just in vogue, but also big business. This is evident from Google’s record acquisition of Wiz for $32 billion. Steven Duckaert, Solution Architect at Upwind Security, calls the acquisition “impressive” and sees it as a good thing for the market in general. He explains the high price tag Google parent company Alphabet paid by pointing to the enormous addressable market. Google doesn’t have the best reputation when it comes to acquisitions, according to Duckaert, so we’ll have to wait and see whether Wiz disappears behind a lock-in.
Steven Maas, Sales Director Data & Application Security BeNeLux at Thales, explains the Wiz deal as follows: “Google owns just under 15 percent of the public cloud market. They are known for other things than their cloud business, so they need to make moves like this one.” According to Erik de Jong, Chief Research Officer at Tesorion, the Wiz acquisition could in the end be detrimental to customers; consolidation in the market rarely leads to lower prices. Wesley Swartelé, System Architect at Conscia Belgium, also knows that a solution such as Wiz’s often disappears into the larger suite. “By that point, you’ve lost it as an option,” he concludes.
Strategic Architect at PQR Andre Honders takes Google’s move one step further. “The focus in 2025 will be on cloud security.” To see why and how, we need to understand the difference between the challenge of securing the cloud and the traditional on-premise environment. Or, knowing that there is no such thing as a stupid question: what is cloud security anyway?
Someone else’s data center, or more than that?
“The cloud is having your operations occur in someone else’s data center,” summarizes Steven Maas. “You’re using the resources of a third party, but it’s important to retain control yourself.” There are plenty of ways to make this happen: bring your own key, the use of management platforms that combine public cloud(s) and on-prem, and so on. This is where the shared responsibility model comes into play. “As a customer, you remain responsible, wherever your data is located. It’s very simple,” says Maas. Erik de Jong adds some nuance: “That responsibility can change outside of your control.” He’s referring to EUregulations such as NIS2 and the Cyber Resilience Act (CRA), laws that place increasingly high demands on organizations, forcing them to take action. In the event of data loss, they cannot point the finger at someone else if they did not have their own security posture in order.
An important complicating factor in all this is that customers don’t always know what’s happening in cloud data centers. At the same time, De Jong acknowledges that on-premises environments have the same problem. “There’s a spectrum of issues, and a lot of overlap,” he says, something Wesley Swartelé agrees with: “You have to align many things between on-prem and cloud.”
Andre Honders points to a specific aspect of the cloud: “You can be in a shared environment with ten other customers. This means you have to deal with different visions and techniques that do not exist on-premises.” This is certainly the case. There are plenty of worst case scenarios to consider in the public cloud. For example, what if a configuration error at the hyperscaler gives one customer access to another customer’s memory or storage?
Steven Duckaert, on the other hand, argues that many solutions are suitable for both on-premises and cloud environments. “Why buy a Ferrari for the cloud and a cheaper car for on-premises? The risk is just as great,” he states. In fact, organizations are more likely to be aware of risk in an on-premises environment because they have control over everything themselves. “The C-suite isn’t losing sleep over a security solution for each environment,” Duckaert continues. He notes that cloud security vendors also offer solutions for on-premises. “Customers also use SaaS from Upwind to protect their environments. You need runtime context to avoid getting too many alerts.”
This is how cloud security and general security are merging again. During the conversation, we constantly hear how, in essence, the requirements and wishes are largely the same; after all, the on-premises location is also a cloud. Nevertheless, De Jong from Tesorion reminds us that it “helps to put a label” on a particular point of attention. He notes that Microsoft identifies five security domains, “but that’s a matter of perception.” In other words, the division of security fields is a useful one, but not set in stone.
It’s a scale issue
Steven Maas does see added value in the move to cloud platforms, which present a fundamentally different offering from on-premises solutions. “You can assume that the cloud provider will organize matters better than you can on your own. This is often the case,” he says, a view shared by both De Jong and Honders, far beyond issues such as fire prevention inside data centers and redundancies. As a result, organizations can target their questioning more precisely. “What happens to the data? Who has access to it? Is it encrypted? And so on and so forth,” says Maas from Thales. “Control must remain with the customer, regardless of where it is stored. Encrypting data, tokenizing it, making it quantum secure—you have to set that up yourself.”
However, a major bottleneck remains the lack of qualified personnel. We hear this all the time when it comes to security. And in other IT fields too, as it happens, meaning one could draw a society-wide conclusion. Nevertheless, staff shortages are perhaps more acute in this sector. Erik de Jong sees society as a whole having similar problems, at any rate. “This is not an IT problem. Just ask painters. In every company, a small proportion of the workforce does most of the work.” Wesley Swartelé agrees it is a challenge for organizations in this industry to find the right people. “Finding a good IT professional with the right mindset is difficult. These are people who work beyond 9-to-5: reading about the latest developments, having their own lab at home. Developments never stop. The field is evolving so quickly.” One does not simply find these people, and even if one does, good luck retaining them without a hefty sum.
Steven Duckaert points to another aspect, namely AI. The technology is often characterized as an addition to software to help simplify matters. However, nothing could be further from the truth, he says: “AI tooling is difficult for defenders. Security is really complex.”
The reality: between over- and underestimation
Now that we have a better picture of cloud security as a whole, let’s shift to the practical reality of 2025. What is the state of cloud security in practice? Wesley Swartelé sees that an unquestioned adoption of the cloud is something that can’t be taken for granted. The emergence of the cloud was met by a flurry of excitement and far too few critical stances, but this has now changed, he says. Said change has occurred largely out of legal necessity, as mentioned earlier, but organizations also simply do not want to transfer all their data to someone else anymore. “People may now say: ‘No more data to the cloud’,” Swartelé observes. “When it comes to encryption, organizations demand control over the keys. These have been spurred on by recent legal developments and more stringent requirements, such as NIS2. Some large organizations are even overly focused on this specific need to encrypt everything and secure the keys.”
The focus on encryption raises the question of whether this is the right path to take. Steven Maas points to the unpredictable factor here: the geopolitical reality of 2025, with all the risks that this reality entails. “What is the local government doing? Encryption is one of the means of maintaining control.” Erik de Jong argues that awareness of the potential disadvantages of US cloud adoption should have been existent ten years ago. “Change can happen at the European level. But from the perspective of a single EU member, there’s no chance of putting things in order.”
Swartelé sees hybrid cloud as the ideal solution. However: “As Europe, we are too late”, he says, referring to the inability to provide a real European counterweight to AWS, Azure, and Google Cloud. Maas sees it differently: “Alternatives are coming, including for the creation of a national cloud [editorial note: in this case, Maas is referring to the Netherlands].” De Jong remains realistic: “As an end customer, there is still no alternative that’s a few clicks away.” Perhaps that is the crux of the matter: technically speaking, all the functionality may be available with European tools, but these tools lack simplicity.
Motivation through damage and disgrace
We have mentioned the importance of legislation several times. Is there already intrinsic motivation among organizations to secure the cloud? Steven Duckaert believes that the right regulation provides good guardrails. “Harvest now, decrypt later is a risk. But storing the keys is already fairly easy.” He notes a lot of attention to misconfigurations, “but unfortunately this also generates alert fatigue.”
Erik de Jong notes that such matters vary greatly on a per-customer basis. “We call it intrinsic motivation, but that ‘motivation’ comes from ransomware attacks that you see everywhere. Risk perception has become more realistic.”
Steven Maas sees a clear shift in this area: “The fact that a cyberattack can bring one’s entire production line to a standstill is a tipping point for many companies.” He cites local examples such as the cyberattack and subsequent data breach at Duvel Moortgat. “There’s definitely awareness: there are costs involved, but you have to sell this type of security as an investment. You want to protect your crown jewels.” Andre Honders distinguishes between company sizes: “For SMEs, the solution has to work right away; they’re not going to invest in IT.”
Conclusion: moving on to asking the right questions
We can see that cloud security is not only a mature discipline, but that there are many reasons to adopt it. This is recognized by the experts at the table, who each view the cloud security playing field from a different angle. There are plenty of answers from both Wiz and the many other startups, security platforms, and hyperscalers. However, it is up to the customer to ask the right questions to which some of these solutions can be the answer. Reluctance to do so has been duly noted. For this reason, we will devote a later article to what exactly those questions are, from SMEs to enterprises. And, more importantly: what those questions ought to be.
For now, it is clear that cloud security touches on aspects of the IT sector that are highly topical. Cyber threats are everywhere, with attackers finding it increasingly easy to strike. That is why there are numerous terms such as CNAPP, CSPM, CWPP, DSPM, and more. In a later article, we will dive deep into this complexity and see how organizations may wish to deal with it, taking the input from the same experts we featured today. These solutions ranges from low-hanging fruit to convincing the business side of an organization, something that security specialists have to do on a daily basis.
Read also: No time to wait in the era of agentic AI