NTT DATA’s Cloud and Security in Ibero-America 2025 study found that 80.38% of organizations see cybersecurity as one of the most critical challenges in cloud adoption. That level of awareness matters, but it does not solve the problem. As hybrid and multicloud architectures become more complex, they widen the attack surface and introduce risks that can quickly become business vulnerabilities if organizations fail to address them in an integrated way.
Many organizations still assume that cloud security begins and ends with the provider. That assumption is one of the fastest ways to create unnecessary exposure. Hyperscalers may offer highly secure infrastructure, but under the shared responsibility model, organizations remain responsible for how they configure their environments, manage access, and protect their own data and applications. When that responsibility is poorly defined or only partially understood, misconfigurations, weak identity controls, and inconsistent policies across platforms are almost inevitable.
Limited visibility and too much access
A second challenge is the lack of unified visibility. In multicloud environments, workloads, users, and data are distributed across multiple platforms and SaaS services. When teams rely on disconnected tools to manage those environments, they lose the unified view they need to assess risk, set priorities, and respond consistently.
The problem becomes more serious as identities and permissions multiply. As cloud architectures scale, excessive privileges and uncontrolled access tend to expand with them, not only for people but, in the age of AI, for intelligent agents as well. Without rigorous identity and access management, the risk of exposure rises quickly.
Security from the start
Another common mistake is treating security as something to address after deployment. In modern cloud environments, where speed and scalability are essential, that approach no longer works. Organizations need to build security in from the start by applying security-by-design principles and automating controls that detect configuration drift, protect workloads, and secure applications before they reach production.
Workforce capability has also become a critical factor. Gaps in specialized cloud security expertise create openings that malicious actors are quick to exploit. In practice, many vulnerabilities stem less from the technology itself than from operational failures, poor decisions, or the absence of the right processes.
Consistent governance in complex environments
Many organizations also underestimate the difficulty of securing hybrid and multicloud environments consistently. Each provider comes with its own control models, interfaces, and configuration parameters. Without a strategy that aligns policies, monitoring, and response criteria across environments, security management becomes fragmented and harder to scale.
From mature security to cyber resilience
There are signs of progress. Nearly 55% of organizations say they already have defined security controls in place for cloud environments. Still, the gap between basic protection and true resilience remains significant. Effective protection depends on combining 24/7 monitoring, cyber resilience, and robust incident response strategies that reduce financial losses, protect corporate reputation, and preserve customer trust.
Companies will capture the full value of multicloud only when they treat the protection of data, applications, and infrastructure as a strategic capability. That is what gives companies the confidence to keep innovating on secure foundations.
At NTT DATA, we help clients strengthen security and resilience so they can translate sound practices into measurable business outcomes.