Cloud security has been one of the most disruptive areas of investment in the overall cyber security landscape, with Fortune Business Insights putting its value at US$43.7 billion ($68.4 billion) in 2024, and rising to $156.2 billion ($244.6 billion) by 2032.

That growth is being fuelled both by the overall rapid uptake of cloud services, and by the realisation that in infrastructure-as-a-service, cloud workloads still demand many of the same security protocols as their on-premises counterparts.

According to Gartner’s research vice president for cloud security and security operations, Craig Lawson, one of the key differences between cloud and on-premises cyber security is the so-called shared responsibility model offered by providers, which sets out what role they will play as compared to that expected of the user.

Lawson said each flavour of cloud also has its own variation of shared responsibility, and it was critical the users understand what that was.

“IaaS still demands vulnerability assessment and patching and configuration of firewalls and DNS,” Lawson said. “I still have to do all of that stuff that we have been doing in infrastructure security for ever, but just in a different form factor.”

There was however at least one security consideration that remained consistent across all cloud variants.

“Identity is the new firewall when you talk to cloud – that underpins everything,” Lawson said.

This focus on access control was a key driver behind the emergence of Cloud Access Security Broker (CASB) technology, which Lawson said played a key role in managing access to cloud applications.

The global CASB market was estimated by Grand View Research to be worth US$9.44 billion ($14.8 billion) in 2024, and anticipated to grow at a compound annual growth rate of 18.3 per cent from 2025 to 2030.

According to Lawson, the growth of CASB is being towed along by the rapid growth of SaaS solutions and the need for better access control down to the file and field level.

Growth of the cloud security market is also likely to be boosted by the rapid adoption of AI services, many of which were cloud-hosted and delivered through SaaS models.

However, Lawson said at this time it is difficult to determine exactly what elements of a cyber security solution would be needed to be secure cloud-based AI implementations.

“As generative AI takes off, there will be a security element to that, and that won’t be a traditional endpoint or a traditional SIEM or a traditional firewall,” Lawson said.

For security buyers, Lawson said the evolution of cloud solutions is making it increasingly difficult to determine exactly where the role of a cloud provider should end, and where that of a dedicated security solution provider started.

Lawson pointed out that the biggest providers of firewall technology in the public cloud sector were already the three largest hyperscalers, and their ambitions for market dominance meant their investments in security capabilities would only increase over time.

“They need to have wraparound security technology to make the case that they are a more secure environment to build on top of,” Lawson said. 

SA Power Networks tackles cloud security

A key action item in SA Power Networks’ recently released cyber security strategy for 2025-2030 [pdf] relates to cloud security. Specifically, the company will “implement a cloud security platform to enable the identification of vulnerabilities and misconfigurations specific to the cloud environment, such as unprotected storage, and to minimise the chances of attackers exploiting these cloud-related risks."

It’s only in the past 12-to-18 months that SA Power Networks has “started doing its own in-house proper modern developments” to run in the cloud, head of cyber security and IT resilience Nathan Morelli said.

It is now looking to ‘shift left’ some security responsibilities to software developers, rather than rely on the security team identifying concerns later in the development cycle.

SA Power Networks has drawn up some DevSecOps principles for development teams to follow, supported by a combination of guardrails incorporated into CI/CD tooling and new-found visibility into its cloud services courtesy of a recent adoption of Wiz software. At the same time, it is also looking to move into the infrastructure-as-code (IaC) space as well to embed security and secure thinking into the way cloud services are stood up and scaled according to need.

While there is some native tooling in the Azure ecosystem, Morelli noted this tooling wasn’t necessarily as “intuitive” as Wiz, nor was it as helpful in identifying risk assets or potential attack paths.

“We're a big attack path kind of team. We like that approach of [identifying] attack paths, where are your risk assets and what is the quickest way to get to them? Some of the work we've been doing in Wiz is around attack paths, and that's just not natively available in Azure.”

Cloud ‘proliferation’ in the higher education sector

For AUSCERT director and University of Queensland CISO, David Stockdale, cloud security is “one of the biggest challenges” he’s observed in the past few years.

This has coincided with the expansion of cloud environments inside of organisations, which has resulted in a “sprawl” of SaaS applications and “proliferation” of infrastructure- and platform-as-a-service (IaaS/PaaS).

Stockdale said the university has “done quite a bit of work in the past 12 months to assess our SaaS utilisation and evaluate the security posture of these services.” 

“We've also spent a lot of time in understanding where we have allowed use of IaaS and PaaS, and how we get better control over the data that sits in these environments,” he said.