Closing security gaps in multi-cloud and SaaS environments

In this Help Net Security interview, Kunal Modasiya, SVP, Product Management, GTM, and Growth at Qualys, discusses recent Qualys research on the state of cloud and SaaS security. He talks about how siloed visibility, fragmented tools, and a lack of incident response skills leave organizations vulnerable to misconfigurations, account hijacking, and other threats.

Modasiya explains that only a unified, context-aware security strategy can consolidate risk insights, close remediation gaps, and align with how businesses build and operate applications.

Based on what you’re seeing in the market, do you think most organizations are realistically prepared for the complexity of securing multi-cloud and multi-SaaS environments?

Not yet. While cloud and SaaS adoption is accelerating, most organizations still struggle with the complexity of securing them. Based on recent research we commissioned with Dark Reading on the state of cloud and SaaS security, key challenges include the lack of incident response skills (49%) and persistent issues like human error — still the #1 source of breaches — such as misconfigurations, which highlight the difficulty in hardening environments proactively.

Siloed visibility and fragmented tools are major roadblocks. Over 60% of teams can’t correlate findings across their cloud and SaaS environments, making it harder to assess risk or respond effectively. As newer technologies like containers and AI workloads enter the mix, these gaps widen — many companies can’t even identify what AI tools are running in their environments.

Ultimately, traditional approaches don’t scale in this new landscape. Security teams need unified visibility, context-aware risk insights, and better collaboration across SecOps, CloudOps, and DevOps to keep pace.

One in four companies experienced a cloud or SaaS breach last year. Are we underestimating the risk, or just failing to operationalize what we know?

It’s a mix of both. Many organizations are underestimating the risk — especially as the nature of attacks evolves. Traditional behavioral detection methods often fall short in spotting modern threats such as account hijacking, phishing, ransomware, data exfiltration, and denial of service attacks. Detecting these types of attacks require correlation and traceability across different sources including runtime events with eBPF, cloud audit logs, and APIs across both cloud infrastructure and SaaS.

At the same time, there’s a major gap in operationalizing risk in three major areas.

• For risk measurement, teams struggle to move beyond CVSS and leverage more accurate risk scoring that incorporates business context and exploitability (like attack paths).
• For risk prioritization, especially in containerized or dynamic environments, most lack the tools to cut through the noise and focus on what truly matters.
• Risk remediation is still too slow. Siloed patching processes, lack of automation, and fear of breaking production systems often delay critical fixes.

Until organizations mature across all three areas, we’ll continue to see breaches persist — even when the signals are already there.

What kind of DFIR capabilities should security leaders prioritize for hybrid and cloud-heavy environments?

In today’s hybrid and cloud-heavy environments, effective DFIR (Digital Forensics and Incident Response) requires moving beyond traditional techniques. Security leaders should prioritize using the following five capabilities:

1. Deep Learning–driven Threat Detection
As attackers adopt stealthier tactics — from GenAI-generated malware to supply chain compromises — traditional signature- and rule-based methods fall short. Deep learning–based anomaly detection is essential to identify zero-day threats and subtle behavioral deviations that legacy tools may miss.

2. Runtime Security with eBPF
As attacker dwell times increase, security teams need real-time telemetry and enforcement. eBPF-powered runtime monitoring provides kernel-level visibility, enabling detection of malicious activity as it unfolds — and reducing time-to-response from hours to minutes.

3. Attack-informed Vulnerability Prioritization
CVSS scores alone don’t reflect the true risk to your business. By combining attack path intelligence, exploit trends, and business context, organizations can cut through the noise and focus on the vulnerabilities that cause the most risk to the organization — especially in ephemeral cloud and containerized environments.

4. Unified Forensics Across Hybrid Environments
Cloud, on-premises, and SaaS ecosystems all produce fragmented data. DFIR success hinges on centralized visibility and correlated telemetry that enables rapid investigation and root cause analysis — across all environments, in one place.

5. Automated Response and Containment
Manual containment slows response and increases risk. Automated workflows — from isolating infected assets to launching remediation actions — reduce dwell time, human error, and business impact.

By adopting these capabilities, organizations can elevate DFIR from reactive cleanup to proactive risk mitigation.

What does a unified cloud and SaaS security strategy look like in practice? What are the foundational elements?

A unified cloud and SaaS security strategy means moving away from treating infrastructure, applications, and SaaS as isolated security domains. Instead, it focuses on delivering seamless visibility, risk prioritization, and automated response across the full spectrum of enterprise environments — from legacy on-premises to dynamic cloud workloads to business-critical SaaS platforms and applications.

Based on industry data and what we’re seeing in the field, a good strategy requires these foundational elements:

1. Hybrid Cloud Visibility
46% of organizations cite limited visibility into cloud or hosted environments as a top challenge. That’s why any unified strategy must provide continuous, correlated visibility across on-premises, public cloud, and SaaS. Without this, blind spots persist — especially where misconfigurations, vulnerabilities, and lateral movement risks span environments.

2. Flexible, Context-Aware Scanning
Today’s workloads are diverse — long-lived servers, short-lived containers, legacy applications in DMZs, and serverless functions. A unified approach must support flexible scanning strategies tailored to workload type, deployment model, and business criticality. Static, one-size-fits-all scanning leaves too much risk undetected and breaks compliance.

3. Multi-dimensional Approach to Risk Prioritization
Effective cloud security prioritization requires more than just vulnerability scores. By correlating signals like public exposure, exposed secrets, identity misconfigurations, and network reachability—and mapping them through an attack path—teams can determine which risks are truly exploitable. This enables teams to focus on issues with the highest blast radius and business impact.

4. Integrated, Automated Remediation
With 49% of respondents citing a lack of skilled manpower and 40% noting limited automation capabilities, security teams need more than alerts — they need action. Integrating remediation into workflows, leveraging pre-built playbooks, and enabling guided or autonomous patching can significantly reduce MTTR and operational burden.

Patching struggles are real: 39% of organizations report having difficulty patching web applications, while 23% cite delays in cloud risk remediation. Automating remediation is no longer optional — it’s critical.

5. Correlated SaaS and Infrastructure Risk
Many SaaS applications operate on shared cloud infrastructure. Yet teams often manage SaaS security posture (SSPM) and infrastructure misconfigurations (CSPM) in silos. A unified strategy must correlate these risks — helping teams understand how a misconfigured Google Workspace account could expose cloud storage or lateral movement paths.

6. End-to-End Lifecycle Security: From Build to Runtime
Security must be embedded throughout the DevOps lifecycle. 46% of respondents highlighted overly broad access for developers, while 32% cited insecure images. Pre-deployment checks (CI/CD scanning, IaC validation) and runtime controls (e.g., eBPF-based threat detection) are both critical. Equally important is enforcing checks even when pipelines are bypassed, which happens more often than teams realize.

7. Flexible Licensing to Support Modernization
39% of organizations face budget constraints — and rigid, consumption-based licensing often becomes a blocker to cloud security maturity. A truly unified platform supports application modernization by enabling resource flexibility (e.g., shifting license entitlements from on-premises virtual machines to containers or serverless), without forcing re-purchases.

The bottom line is a unified strategy consolidates risk insights, closes remediation gaps, and aligns with how modern businesses build and operate applications — helping teams move from fragmented security efforts to a proactive, risk-centric operating model.

What’s your view on balancing native CSP/SaaS telemetry with in-house or third-party tools?

Native CSP and SaaS telemetry is essential, but it’s not enough on its own. Continuous inventory and monitoring across identity, network, compute, and AI is critical — especially to detect misconfigurations and drift. With 30% of breaches tied to human error, often from insecure infrastructure as code or excessive privileges, organizations need full code-to-cloud visibility.

At Qualys, we integrate native CSP scans via APIs and enrich them with our own vulnerability and risk intelligence from over 25 threat feeds — giving customers deeper, prioritized insights that neither source could deliver alone.

What’s one actionable step you think every security team should take right now to improve their cloud and SaaS defense?

Establish a unified inventory of all cloud, containers and SaaS assets — and map each to business context and risk.

You can’t protect what you don’t know about. Yet most teams still lack a single, living view of what assets they have across multi-cloud and SaaS — let alone which are externally exposed, misconfigured, or business-critical. Start by consolidating cloud provider APIs, SaaS integrations, and threat telemetry into one risk-aware asset inventory. Then use that foundation to drive prioritization and remediation workflows.