Blog

Top Cloud Security Challenges in 2025 and What to Expect in 2026

cloud security Malaysia

Cloud is no longer a “nice to have” — it’s where businesses in Malaysia are running their most critical operations today. From banking apps to e-commerce platforms, everything depends on cloud speed and flexibility. But as more data and systems move to the cloud, attackers are also shifting their focus.

In 2025, companies are learning the hard way that the cloud isn’t automatically secure. Misconfigurations, weak access controls, and gaps between different cloud providers are opening the door for cybercriminals. And with new risks like AI-driven attacks and supply chain compromises, the challenge is getting tougher.

This blog looks at the biggest cloud security challenges in 2025 and what Malaysian enterprises should prepare for in 2026 — with practical steps to stay ahead.

Malaysia in 2025

Malaysia is moving fast on cloud adoption. A recent survey showed that more than 70% of Malaysian enterprises are running workloads on public or hybrid cloud, driven by digital transformation in banking, retail, and government services. The rollout of 5G and the rise of fintech players are also pushing businesses to modernize IT quickly.

At the same time, regulators are paying closer attention. Bank Negara Malaysia (BNM) has issued strict guidelines on cloud outsourcing for financial institutions, and the Personal Data Protection Act (PDPA) continues to shape how companies manage sensitive data. In 2025, compliance is not just a checkbox — it’s becoming a business requirement for winning customer trust.

But here’s the challenge: while adoption is high, many Malaysian companies still face shortages of skilled cloud security professionals, and over-reliance on third-party providers is creating new risks. This combination of rapid growth, tighter regulations, and limited in-house expertise makes it crucial for enterprises in Malaysia to rethink their cloud security strategy.

Top Cloud Security Challenges in 2025

Cloud has unlocked speed and scale for Malaysian businesses, but it also comes with risks that are growing sharper every year. Below are the biggest cloud security challenges we’re seeing in 2025 — and why they matter for enterprises in Malaysia.

1. Cloud Misconfigurations and Insecure Defaults

One of the oldest cloud risks is still the most common. A simple mistake — like leaving a storage bucket public or not enabling encryption — can expose millions of records. Attackers constantly scan the internet looking for these “low-hanging fruits.”

In Malaysia, regulators like Bank Negara Malaysia have flagged misconfigurations as a major risk for financial services. Yet, many businesses still rely on manual reviews, which don’t scale across multi-cloud environments.

Mitigation: Use automated Cloud Security Posture Management (CSPM) tools that continuously scan and fix misconfigurations before attackers find them.

2. Identity & Access Issues — Human and Non-Human Identities

The cloud runs on identities. It’s not just employees — service accounts, applications, and APIs all have credentials. In 2025, most breaches involve attackers exploiting weak or over-privileged accounts. Once inside, they move laterally across cloud workloads.

In Malaysia, where digital banking and fintech are booming, mismanaged machine identities can create huge risks. One leaked API key could give attackers entry into payment systems.

Mitigation: Enforce least-privilege access, rotate credentials regularly, and adopt identity threat detection and response (ITDR) for both humans and machines.

3. API Security & Broken Access Control

APIs are the backbone of modern apps — but they’re also a prime target. Attackers abuse poorly protected APIs to exfiltrate data or bypass authentication. In fact, some of the largest cloud breaches in recent years started with exposed APIs.

Malaysia’s e-commerce and super-app ecosystem is especially API-heavy, making this a growing local concern. For example, a single exposed API in a retail app could leak customer order and payment details.

Mitigation: Implement API gateways with strong authentication and deploy runtime API security monitoring to catch abnormal requests in real time.

4. Supply Chain and Third-Party Risks

Cloud is never a solo effort — companies depend on vendors, SaaS providers, and managed services. But this creates an extended attack surface. A single compromised supplier can cascade across hundreds of Malaysian businesses.

With Malaysia’s strong outsourcing culture — from BPOs to managed IT — the supply chain challenge is even more critical. Regulators now expect companies to assess their third-party risks, not just their own systems.

Mitigation: Maintain an updated Software Bill of Materials (SBOM), monitor third-party security ratings, and demand clear security SLAs from providers.

5. AI-Related Vulnerabilities & AI-Driven Attacks

AI is now embedded in cloud workflows, from chatbots to fraud detection models. But AI introduces new risks: data poisoning, model theft, and prompt injection. On the flip side, attackers are also using AI to automate phishing and exploit scanning.

Malaysia’s government has invested heavily in AI adoption, meaning more businesses are experimenting with AI in the cloud. Without guardrails, these experiments could become backdoors for attackers.

Mitigation: Apply AI security testing (red-teaming models) and isolate sensitive training data. In 2026, expect AI Security Posture Management (AI-SPM) tools to become standard.

6. Lack of Visibility Across Multi/Hybrid-Cloud

Most enterprises don’t stick to one cloud. They use AWS, Azure, Google, and private cloud — but fragmented tooling creates blind spots. Attackers exploit these gaps to hide lateral movement and data exfiltration.

For Malaysian conglomerates running across multiple sectors and regions, this lack of unified visibility makes incident response slow and incomplete.

Mitigation: Consolidate logs and telemetry into a cloud-native SIEM/XDR that gives end-to-end visibility and real-time correlation.

7. Ransomware and Extortion Targeting Cloud Workloads

Ransomware has evolved from locking on-premise servers to encrypting cloud data. Attackers now target cloud backups, and some even threaten to leak sensitive data if payments aren’t made.

In Malaysia, ransomware remains a top concern for healthcare and manufacturing firms, both of which have embraced cloud storage without always securing backups.

Mitigation: Use immutable cloud backups, regularly test recovery plans, and deploy ransomware detection at workload level.

8. Regulatory & Data Sovereignty Pressures

Malaysia’s PDPA is being reviewed, and regulators like BNM are tightening cloud outsourcing guidelines. Data sovereignty — keeping sensitive data within national borders — is increasingly on the agenda. For global cloud platforms, this creates compliance challenges.

Companies in finance and government-linked sectors must ensure data is stored and processed according to Malaysian requirements. Non-compliance can mean fines and loss of customer trust.

Mitigation: Choose region-aware cloud deployments, work with providers offering local data centers, and build compliance into architecture design.

9. Security Debt & Skills Shortage

Cloud adoption has outpaced security maturity. Many Malaysian firms are carrying “security debt” — old misconfigurations, unused accounts, and unpatched workloads that pile up over time. On top of this, there’s a shortage of cloud security professionals in the region.

This means even well-funded organizations struggle to hire the right talent to manage complex cloud environments securely.

Mitigation: Partner with managed cloud security services (MSSPs), while simultaneously upskilling internal teams through training and certifications.

What to expect in 2026: predictions

Cloud security won’t stand still. As threats evolve and regulators raise the bar, 2026 will bring new priorities for Malaysian enterprises. Here are the shifts you can expect:

  • Cloud-Native Security Becomes Standard

Tools like CNAPP (Cloud-Native Application Protection Platform) and SASE (Secure Access Service Edge) will move from “nice-to-have” to “must-have.” Companies will prefer platforms that combine posture management, workload protection, and access controls in one place.

  • Managing Non-Human Identities Takes Center Stage

By 2026, service accounts, machine identities, and API keys will outnumber human users by a wide margin. Security teams will need dedicated tools to manage and monitor these digital identities before attackers exploit them.

  • AI Security Posture Management Emerges

As more Malaysian businesses adopt AI and automation, attackers will look for weaknesses in models and training data. This will create demand for new solutions focused on testing, monitoring, and securing AI systems.

  • Stronger Rules and Vendor Accountability

Regulators in Malaysia and across Southeast Asia are likely to tighten cloud compliance requirements, especially around data sovereignty. Cloud vendors will be pushed to prove security controls and provide more transparent SLAs.

  • Unified Visibility Across Multi-Cloud

Companies will demand one dashboard that shows all risks and incidents across AWS, Azure, Google Cloud, and private setups. Consolidation into cloud-native SIEM and XDR platforms will accelerate.

Actionable playbook for Malaysian enterprises

Knowing the risks is only half the battle. The real question is — what can Malaysian businesses do right now to strengthen cloud security? Here’s a simple playbook with six priority actions:

  • Scan for Misconfigurations Continuously

Don’t rely on one-time audits. Use Cloud Security Posture Management (CSPM) tools to automatically detect and fix weak settings before attackers exploit them.

  • Adopt Zero Trust for Both People and Machines

Limit access with least-privilege policies, short-lived credentials, and continuous monitoring. Treat machine identities (like API keys and service accounts) with the same care as human logins.

  • Secure Every API

Deploy API gateways, enforce strong authentication, and monitor runtime traffic for unusual activity. APIs should be tested just like applications.

  • Harden the Supply Chain

Protect your CI/CD pipelines, use Software Bill of Materials (SBOMs) for clarity, and demand clear security SLAs from cloud and SaaS vendors. Don’t assume your provider covers everything.

  • Automate Detection and Response

Integrate cloud logs into a cloud-native SIEM or XDR, and build automated playbooks for common threats like ransomware or identity misuse. Faster detection means less damage.

  • Upskill and Partner Wisely

Cloud security talent is scarce in Malaysia. Invest in training for your team, and work with Managed Security Service Providers (MSSPs) for 24/7 coverage and compliance expertise.

NewEvol positioning — how we help

Securing the cloud isn’t about adding more tools — it’s about having the right intelligence, automation, and visibility in one place. That’s where NewEvol comes in.

  • Cloud Posture Management: We continuously scan for misconfigurations, risky permissions, and compliance gaps across AWS, Azure, Google Cloud, and private setups.
  • Identity & Access Protection: Our platform helps monitor both human and non-human identities, preventing credential abuse and privilege misuse.
  • API & Data Security: With runtime API monitoring and data protection controls, we keep your applications and sensitive information safe from misuse.
  • Automated Threat Detection & Response: NewEvol integrates with your cloud workloads to deliver faster detection and automated response to attacks like ransomware or insider misuse.
  • Compliance & Reporting: We simplify audits by aligning with Malaysian regulations like PDPA and industry-specific guidelines from BNM.

Final Thoughts

Cloud adoption in Malaysia is only going to accelerate, and with it, the risks will keep evolving. The challenges we’re seeing in 2025 — from misconfigurations to AI-driven attacks — are just the beginning. By 2026, enterprises that succeed will be the ones that treat cloud security as a continuous, automated practice, not a one-time project.

The good news is that with the right approach — clear visibility, identity-focused controls, and smart partnerships — Malaysian businesses can turn the cloud into a competitive advantage instead of a risk. The time to act is now.

FAQs

  • What are the top 7 advanced cloud security challenges?

Misconfigurations, identity misuse, API vulnerabilities, supply chain risks, AI-related threats, ransomware in cloud, and multi-cloud visibility gaps.

  • What are the top 5 cloud computing security challenges?

Data breaches, weak access controls, insecure APIs, compliance pressure, and lack of skilled professionals.

  • What is the demand for cloud computing in 2025?

Cloud adoption in Malaysia and Southeast Asia is at an all-time high, with most enterprises shifting core workloads to public and hybrid clouds.

  • What is the future of cloud in 2025 from technology to innovation?

Expect stronger AI-driven services, greater automation in security, wider 5G integration, and growth of cloud-native applications.

Krunal Medapara

Krunal Mendapara is the Chief Technology Officer, responsible for creating product roadmaps from conception to launch, driving the product vision, defining go-to-market strategy, and leading design discussions.

September 11, 2025
Contact form

    Recent Post
    Top Cloud Security Challenges in 2025 and What to Expect in 2026
    Krunal Medapara

    September 11, 2025

    How UAE Businesses Can Use Analytics Platforms to Prevent Cyber Attacks
    Krunal Medapara

    September 10, 2025

    Challenges and Solutions in Managing Cyber Attacks in Hybrid IT Environments
    Krunal Medapara

    September 9, 2025

    Leave a comment

    Your email address will not be published. Required fields are marked *