Cloud Security: The Neglected Child of Cybersecurity?

Nicolas Bessi
A Surprising Observation
After attending several cybersecurity conferences, including the most recent Insomni'Hack 2025, a paradox has emerged: while more than half of enterprise systems and the Internet rely on the cloud, discussions, dedicated conferences, CTFs, and workshops focused on cloud security remain largely underrepresented.
Why is there such a gap, especially when AI and regulatory compliance dominate conversations and are inherently tied to cloud infrastructures? Here are some key reflections.
A Vast and Complex Domain
Cloud security is an extensive field that encompasses multiple facets:
- FinOps and resources management
- Architecture and networking
- CI/CD and automation
- Compliance and security posture
- Container and service security
- Identity and Access Management (IAM)
- DevOps processes and workflow management
- Incident detection and response
This broad ecosystem makes cloud security an "umbrella term" that requires mastering a wide range of technologies even before addressing security-specific concerns.
The Segmentation of Cloud Platforms
Another factor contributing to the lack of visibility for cloud security is the fragmentation of cloud ecosystems. Unlike more universally adopted technologies such as Kubernetes, each hyperscaler (AWS, Azure, GCP, etc.) has its own environment with distinct paradigms and technologies. We can illustrate that state with a simple example. Using a managed Posgresql service on AWS, GCP or Azure is a totally different experience, the products vary greatly from their config network specificity, pricing, custom implémentation backup and replication paradigm. Deep expertise in one platform does not necessarily translate to another, making it challenging to organize talks and training sessions outside platform-specific events.
High Costs for Cloud Security Events
The constraints mentioned above lead to high costs for organizing cloud security events or CTFs. Creating engaging, multi-cloud challenges requires significant spending on cloud credits and infrastructure, discouraging such initiatives.
How to Reverse the Trend?
Given the scarcity of initiatives in this domain, here are some strategies to improve the situation:
Target Accessible Topics
Rather than always approaching cloud security from the perspective of lateral movements and complex attacks, focusing on more practical topics—such as limiting cost overruns due to DevOps errors—could reach a wider audience.
Increase Awareness from Early Education
Cybersecurity education in engineering schools and IT curricula still places little emphasis on cloud infrastructure security. Integrating these topics into academic programs and offering dedicated bootcamps could help develop a new generation of well-prepared professionals.
Develop Recognized and Accessible Certifications
Cloud security certifications such as AWS Security Specialty, Google Professional Cloud Security Engineer, and Azure Security Engineer exist but are often seen as complex and expensive. Promoting micro-certifications or sponsored, accessible training could help democratize the field.
Fund Open-Source Content and Accessible Labs
Multi-cloud CTFs are costly, but providing open-source test scenarios in the form of locally hosted challenges (e.g., Terraform, Kubernetes, vulnerable containers) could encourage more professionals to practice without infrastructure costs.
Encourage Experience Sharing (Post-Mortems, Lessons Learned)
Conferences often highlight sophisticated attacks, but real-world cloud security incidents are rarely discussed. Emphasizing anonymized post-mortems and lessons learned could facilitate the adoption of best practices.
Promote “Security as Code” and Automation
Companies are adopting DevOps, yet cloud security remains largely manual. Highlighting security automation tools (IaC Security, Policy as Code, CNAPP, CSPM, SIEM Cloud) in practical talks and workshops could better capture audience interest.
Conclusion
Cloud security suffers from a lack of recognition in conferences and training programs despite its crucial importance. Its vast scope, complexity, and costs make it a challenging topic to popularize. However, by adapting educational approaches, diversifying discussion topics, and strengthening partnerships with industry players, it is possible to better integrate cloud security into the cybersecurity ecosystem and bridge this gap.
Career
Interested in working in an inspiring environment and joining our motivated and multicultural teams?