The Shift That Broke Cloud Security in 2025, as Valid Identities Became the Primary Attack Surface
Published
Key Takeaways
- Sethi notes that valid identity misuse made cyber attacks quieter and harder to distinguish from normal operations.
- Traditional detection fails in interconnected cloud environments, creating the need for runtime visibility.
- Automation exposed shaky foundations by making decisions on stale assumptions lacking context.
- Upwind Security notes that while the cloud environments change constantly, identity policies remain static.
- Controls like continuous privilege rebalancing and tighter segmentation were underused, weakening security.
We sat down with Rinki Sethi, Chief Security & Strategy Officer at Upwind Security, to learn how 2025 quietly rewired the technical realities of cloud defense and what that means going forward.
Sethi draws on over 20 years of experience leading security programs at high-growth and global enterprises, including Twitter, Rubrik, BILL, and Palo Alto Networks, with deep focus on cloud, identity, and large-scale incident response.
This conversation discusses a clear shift that many teams observed. Attackers are no longer loud, fast, or obviously malicious. They are using valid identities, automation, and AI-driven workflows to blend into normal cloud operations.
The discussion explains why static controls, point-in-time checks, and outdated IAM assumptions repeatedly failed in 2025.Â
We define the next phase of security work focusing on runtime visibility, identity controls, controlled automation, and treating AI workloads as first-class production systems. Read on to know where defenses broke and where they must evolve next.
Vishwa: What changes in attacker behavior during 2025 had the biggest technical impact on how defenders monitored cloud workloads and identity systems?
Rinki: We saw far more activity using valid identities, native cloud services, and existing automation paths. That made attacks quieter and much harder to separate from normal operations.
In cloud environments, where change is constant and everything is interconnected, those actions blend in unless you understand behavior in real time. This is where a lot of traditional detection fell short.Â
Static checks and point-in-time signals miss how identities and workloads are actually being used. You only see the problem when you can observe behavior as it unfolds in production. That shift is what made runtime visibility non-negotiable for teams that wanted to keep up.
Vishwa: Organizations expanded automation rapidly in 2025. What technical risks emerged from automating security tasks?
Rinki: Automation became mandatory, but it also exposed how shaky some foundations really were. I saw automation making changes based on stale assumptions, granting access that no human would ever get, or acting on incomplete context.Â
When you automate without understanding how your environment truly behaves, you amplify risk at machine speed. As AI and agentic workflows become more common, the real challenge is not speed. It is control.Â
You need clear guardrails and a live understanding of your environment before you automate decisions. Otherwise, you are just moving faster in the wrong direction and creating messes that are incredibly hard to unwind.
Vishwa: Many incidents in 2025 involved credential misuse and lateral movement. What technical controls were underused?
Rinki: Identity is where small gaps quietly turn into big problems. Cloud environments change constantly. New services, new APIs, new data flows. But identity policies often stay frozen in time. That is where attackers find room to move.
Teams underused controls like continuous privilege rebalancing, tighter segmentation, and real visibility into how identities are actually used in production. Credential misuse today is rarely just a leaked key. It is about trust paths and identity relationships that nobody has revisited in years.
When teams combine solid IAM design with runtime insight into identity behavior, lateral movement becomes much easier to spot and stop early.
Vishwa: AI-assisted attacks grew more sophisticated in 2025. What technical weaknesses will attackers target heading into 2026?
Rinki: Attackers will keep going after the seams. As organizations embed AI into their environments, the biggest risks are not just the models. It is the infrastructure around them. Inference endpoints, orchestration layers, data pipelines, tokens, and secrets that connect everything together.
We are also heading into a world where AI agents can take real actions across systems. If those agents are not tightly governed, with strong identity boundaries and real-time visibility into what they are doing, they become powerful attack tools.
The organizations that will be safest are the ones that treat AI workloads like any other critical production service. Same runtime monitoring. Same identity rigor. Same expectations for control and accountability.
Vishwa: Supply-chain weaknesses impacted multiple industries in 2025. What introduces the most hidden technical risk?
Rinki: Modern cloud environments are built on layers of dependencies that change constantly, often without anyone touching the application.
Risk can enter quietly through a library update, a container change, or a managed service evolving behind the scenes. Teams often know what they have installed, but not how those components actually behave once they are running.
The strongest programs pair dependency management with runtime understanding. You need to know what those components touch, how they interact, and what normal behavior looks like in production. That context is what turns supply-chain risk from an abstract problem into something you can actually manage.
Vishwa: What experiences shaped your path into cybersecurity leadership, and how do they influence how you build teams?
Rinki: I started as an engineer, building security infrastructure and incident response systems, long before security was a board-level topic. I have led teams at places like Twitter, Rubrik, and BILL during periods of intense growth and instability.
Those experiences taught me how much pressure security teams carry and how often they are expected to be the backstop for everything. That shapes how I lead today.
I focus on clarity, trust, and creating environments where people can do hard work without burning out. Security does not succeed in isolation. When teams feel supported and understand why their work matters, they make better decisions and stay in the field longer. That matters more than any single tool.
Vishwa: You have spoken publicly about inclusion in cybersecurity. What actions strengthen solidarity across technical teams?
Rinki: The biggest impact comes from making inclusion part of everyday leadership, not a separate initiative.
That means investing in talent development, offering flexibility when people need it, and opening doors for people who may not naturally see themselves as leaders yet. Sponsorship has been especially powerful in my career and in the teams I have led.
When we actively support each other’s growth and create space for different paths into leadership, it builds stronger teams and healthier cultures. That kind of environment keeps people engaged and committed long term.
Vishwa: What guidance would you offer professionals aiming for security leadership in the coming years?
Rinki: Security leadership today sits at the intersection of cloud architecture, identity, AI, engineering, and business strategy. My advice is to build real breadth. Understand how systems are built, how incidents unfold, how products ship, and how AI is reshaping operating models.
At the same time, never underestimate the people side. The strongest leaders communicate clearly, stay curious, and create steadiness for their teams in constant change.
If a role stretches how you think and forces you to grow, that discomfort is usually a sign you are moving in the right direction.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular