The Path of Least Resistance: Why Defence in Depth Is the Best Response to Cloud Threats

Threat actors are nothing if not resourceful. When they find that a particular pathway is blocked, they don’t give up. Instead, they simply search for another. Just take a look at Google’s latest Cloud Threat Horizons Report for H1 2026. Google Cloud has built a robust set of best practices into its platform to minimise the opportunities for identity compromise and abuse. So, what did the bad guys do in the second half of 2025? They simply switched their initial access efforts from credential compromise to vulnerability exploitation.

It’s one of several interesting insights from the report that could help CISOs as they work to continuously improve their security posture.

From Bugs to Breaches

Two charts illustrate perfectly the dynamic nature of today’s threat landscape: one detailing initial access vectors exploited in Google Cloud, and the other a platform-agnostic version. In Google Cloud, “weak or absent credentials” were responsible for just 27% of breaches in the second half of 2025, down from 47.1% in the previous six months. By contrast, exploitation of third-party software vulnerabilities accounted for 45% of breaches, up from just 3% in H1 2025.

Although the latter attacks are “more sophisticated and costly” for threat actors, they’re also getting better at them. The window between vulnerability disclosure and mass exploitation has dropped from weeks to just days or hours, says Google. React2Shell was one of the most popular targets for exploitation last year – resulting in a major breach at LexisNexis, among several other companies.

When we look at the picture across all platforms, however, identity reasserts itself as the primary attack vector for incidents involving major cloud and SaaS-hosted environments – accounting for 83% of initial access. Vulnerability exploitation accounted for just 2% last year. Looking at specifics within identity, vishing (17%) was more popular than email phishing (12%). But more common than both were the use of stolen credentials (21%) and compromised trusted relationships with third parties (21%), such as the infamous Salesforce Drift OAuth campaign.

Be More Google

The report not only provides a useful snapshot of current threat trends, it also shows what’s working defensively. In an ideal world, CISOs would be able to emulate Google Cloud’s defence-in-depth and secure-by-default approach to block as many initial access pathways as possible. From an identity perspective this means:

• Enforcing the principle of least privilege and regularly auditing/removing excessive permissions
• Replacing permissive firewall rules with identity-centric proxies, in order to protect administrative interfaces from remote code execution (RCE) and stolen passwords
• Enforcing context-aware, phishing-resistant MFA (eg hardware keys or passkeys)
• Restricting the data that third-party applications can access (ie via OAuth integration)
• Establishing strict verification protocols for IT help desk staff (eg requiring visual verification on a video call or secondary manager approval) in order to mitigate vishing attempts

The principle of “secure by default” is one of the most effective ways to reduce risk in modern cloud environments, argues Vysiion CTO, Peter Clapton.

“Platforms should ship with strong baseline protections for identity, authentication, and privilege management so organisations are not reliant on administrators to configure numerous controls correctly before achieving protection,” he tells IO (formerly ISMS.online). “In cloud environments, where infrastructure can be deployed rapidly and at scale, these default guardrails significantly reduce the likelihood of misconfiguration becoming an entry point for attackers.”

However, secure by default should be considered a baseline. “Identity has effectively become the modern security perimeter, so organisations still need strong governance, monitoring and least-privilege access policies across users, service accounts, and third-party integrations to manage risk effectively,” says Clapton.

CISOs could also follow Google’s advice on mitigating vulnerability exploitation, as outlined in the report. This includes updating patching policy to ensure CVEs are protected virtually within 24 hours and fully remediated within 72 hours. Automated vulnerability scanning will help support these efforts by finding unpatched software.

“Security teams should prioritise vulnerabilities based on exploitability, exposure, and asset criticality rather than relying purely on CVSS scores,” advises Clapton. “Integrating vulnerability scanning into development pipelines and maintaining visibility of rapidly changing cloud assets is critical.”

The ISO Difference

However, Keeper Security CISO Shane Barney argues that, while Google Cloud’s secure-by-default posture is great for its customers, most enterprises operate in hybrid and multi-cloud environments where those controls don’t extend in a consistent manner.

“The priority for CISOs should not be replicating a single provider’s model, but ensuring consistent security outcomes across all environments. That means enforcing identity-first security controls that travel with the user, rather than the platform itself,” he tells IO.

“A ‘secure-by-default’ posture is only effective when it is reinforced by a zero trust model that assumes no identity or system can be implicitly trusted, enforces least-privilege access to eliminate standing permissions, and applies continuous verification and session monitoring to detect and contain misuse in real time – particularly across privileged accounts.”

Fortunately, CISOs have an ally in the form of best practice standards and frameworks like ISO 27001.

“Frameworks like ISO/IEC 27001 provide a critical foundation by formalising controls across vulnerability management, identity and access governance, and security awareness,” Barney continues. “They translate regulatory intent into structured, auditable practices for managing information risk, embedding controls across access management, vulnerability remediation and incident response that can scale across complex, cloud-driven environments.”

KnowBe4 lead CISO advisor, Javvad Malik, is also a proponent of formalised best practice approaches like this, as long as the intent is not “tick-box” compliance.

“Standards such as ISO27001 are useful because they can steer organisations to get the fundamentals in place such as asset management, patching, access control, incident response, human risk and so forth,” he tells IO.

“In isolation, the standards themselves may have limited value, particularly if organisations only go about these for the sake of compliance. They should be used to build strong governance, be embedded into day-to-day operations and underpin the overall security culture so that secure choices are the normal and preferred choices.”