Confidence Without Coverage
A survey of 210 IT and security professionals published by the Cloud Security Alliance (CSA) and commissioned by Thales paints a troubling picture: 75% of organizations expressed confidence in their ability to secure unstructured data, yet 68% reported that less than 80% of their unstructured data is actually protected. 1Unstructured Data Surges as Enterprises Struggle to Maintain Visibility and Security, Cloud Security Alliance Study Finds Another 10% said they were unsure of their coverage at all.
This is not a marginal gap. Unstructured data - documents, emails, chat logs, images, and other free-form files - is estimated by Gartner to account for 70% to 90% of all enterprise data. 1Unstructured Data Surges as Enterprises Struggle to Maintain Visibility and Security, Cloud Security Alliance Study Finds It often houses PII, financial records, intellectual property, and credentials. And nearly a third of organizations (29%) reported that unstructured data accounts for more than half of their annual data growth. 1Unstructured Data Surges as Enterprises Struggle to Maintain Visibility and Security, Cloud Security Alliance Study Finds
Visibility Remains the Core Problem
Despite listing security, governance, privacy, and compliance as top concerns, organizations are failing at foundational controls. More than half (56%) of respondents indicated they have only partial visibility into where their data is stored. 1Unstructured Data Surges as Enterprises Struggle to Maintain Visibility and Security, Cloud Security Alliance Study Finds Classification scanning, access monitoring, and sensitive data protection are recognized as necessary - but not consistently executed.
Tool sprawl compounds the issue. Nearly one-third (32%) of organizations use 11 or more tools to manage unstructured data, with 12% relying on at least 21 tools. 1Unstructured Data Surges as Enterprises Struggle to Maintain Visibility and Security, Cloud Security Alliance Study Finds Fragmentation across encryption, cloud security, application security, and IAM platforms makes unified governance difficult.
AI, meanwhile, occupies a paradoxical position: 47% of respondents see it as a top future threat, while 40% view it as a core security capability. But with only 9% of organizations reporting real-time scanning capabilities and 23% unable to scan at all, 1Unstructured Data Surges as Enterprises Struggle to Maintain Visibility and Security, Cloud Security Alliance Study Finds deploying AI on top of incomplete visibility risks amplifying blind spots rather than eliminating them.
From Misconfiguration to Full Takeover in Minutes
A separate CSA analysis published the same day illustrates what happens when visibility fails. In a documented real-world incident, attackers discovered AWS access keys stored in a publicly accessible S3 bucket. 2How an Exposed AWS Access Key Can Lead to Full Account Takeover — Cloud Security Alliance The keys initially provided only read-only access - but that was enough.
Within minutes, the attackers enumerated IAM roles and identities, modified existing Lambda functions to escalate privileges, moved laterally across AWS principals, and ultimately obtained full administrative control. 2How an Exposed AWS Access Key Can Lead to Full Account Takeover — Cloud Security Alliance Post-takeover, they exfiltrated data, provisioned GPU instances, and abused managed AI services including Amazon Bedrock.
The root causes were not exotic: a public storage bucket, long-lived credentials, over-permissive IAM roles, and limited runtime monitoring. As the CSA analysis notes, "cloud breaches rarely begin with advanced exploits or unknown vulnerabilities. Most start with something far more ordinary: a misconfiguration." 2How an Exposed AWS Access Key Can Lead to Full Account Takeover — Cloud Security Alliance
The Common Thread
Both findings point to the same structural issue. Organizations understand the threat landscape in principle but lag in implementing the continuous, scalable controls required to match it. Confidence scores are high; actual coverage is not.
The unstructured data survey shows that governance is fragmented, manual, and inconsistent. The AWS incident demonstrates that in cloud environments, those gaps do not stay passive - they become active attack surfaces scanned and exploited at machine speed.
What Comes Next
The direction is clear: periodic audits and point-in-time assessments are insufficient for modern cloud environments. Security teams need continuous misconfiguration monitoring, identity and access governance tightly scoped to least privilege, runtime behavioral analytics, and - critically - an honest assessment of what they actually protect versus what they assume is covered.
As CSA's Hillary Baron put it: "Many organizations are struggling to keep pace with the visibility, governance, and protections needed to manage [unstructured data] securely." 1Unstructured Data Surges as Enterprises Struggle to Maintain Visibility and Security, Cloud Security Alliance Study Finds Until that confidence-coverage gap closes, every exposed key and untracked document remains an open door.
Bild: Nikolai Kolosov / Unsplash
