There’s something strange about how invisible the cloud has remained, even as it has come to underpin everything. It is where our tax records, biometric IDs, pandemic playbooks, and public AI models live now. In a growing number of Asia Pacific countries, it is also where governance itself increasingly resides.
Despite how central the cloud has become to the modern state, we continue to treat it like a glorified IT service—a tool, a convenience, something that belongs to technologists—not the same class of infrastructure as roads, railways, or national power grids. This mismatch between the criticality of what is being built and the looseness with which it is being secured is becoming harder to ignore.
In a recent analysis of more than 3.6 million cloud assets, Tenable’s research team found that nearly 10% of publicly accessible cloud storage locations held sensitive or confidential data. More than half of the containerised workloads studied contained hard-coded secrets: access keys, tokens, credentials, all sitting in plain text. Almost a third of organisations had at least one workload that was exposed to the internet, vulnerable to known exploits, and configured with excessive privileges. We call that combination the “toxic cloud triad.”
These are not obscure technical bugs. They are widespread design flaws. When they show up in systems that underpin national healthcare, financial regulation, or public education, they are not just engineering oversights. They are civic vulnerabilities.
In Asia, the implications of this are especially stark. The region has, in many ways, leapfrogged traditional infrastructure. Cloud adoption is proceeding faster here than almost anywhere else in the world. In 2025 alone, public cloud spending across the Asia Pacific is expected to exceed US$250 billion, according to IDC. Governments from India to Indonesia are replatforming entire bureaucracies onto public cloud services. That momentum has helped drive innovation. But it has also produced a quiet accumulation of risk.
One example came from Indonesia, just last year. In June 2024, a ransomware variant known as Brain Cipher, a descendant of LockBit 3.0, compromised the country’s Temporary National Data Centre in Surabaya. More than 200 government services ground to a halt. Immigration systems went dark, and even public universities could not process student enrolments. The attackers demanded a ransom of US$8 million, which Jakarta refused to pay.
See also: Philippine court convicts ex-mayor for human trafficking over role in scam centre
Beyond the ransom itself, the incident highlighted broader challenges around backup and recovery. An audit revealed significant gaps in data resilience, underscoring the need for stronger safeguards. In response, President Joko Widodo ordered a sweeping review of government cloud systems and data protocols, reforms that are continuing to take shape today.
If that incident tells us anything, it is that the cloud is no longer just infrastructure. It is a space of sovereignty. And if we continue to treat it with the relaxed assumptions of private-sector tooling, where agility, convenience, and iteration are prized above all else, then we will find ourselves confronting more moments like these, when technical breaches can spiral into national crises.
To be clear, the answer is not to halt cloud adoption. Cloud services have delivered undeniable public value. They have improved access to services, lowered the cost of innovation, and allowed many nations to sidestep outdated, costly IT procurement models. But scale without visibility is a dangerous game.
See also: Why IBM believes quantum computing is close to business reality
The problem is not that governments and enterprises are not investing in security. Many are. The issue is that our frameworks for what “secure” means are still rooted in assumptions from another era. We assume that data will stay siloed, that cloud workloads are short-lived, and that the stakes are mostly financial.
But the stakes have changed. If a developer hard-codes a credential into a container used by a generative AI model, and that model is powering a national public service, the implications are not theoretical. If an AI notebook in Google Cloud is provisioned with the wrong default permissions, as 77 percent were in our analysis, the blast radius of compromise extends well beyond just that workload. And if that notebook is training on sensitive datasets, the line between private-sector tooling and public interest disappears altogether.
Some progress is being made. Countries like Singapore are mandating minimum cyber hygiene standards for financial institutions. India’s data protection law has arrived after years of debate. Australia is rethinking its breach penalties. But policy tends to trail technology, and enforcement tends to trail policy. Even in countries with robust digital strategies, there is often a lack of basic visibility. There is no map of who has access to what, no real-time alerting when secrets leak, and no lifecycle management for identities long after projects conclude.
Moreover, the stakes aren’t confined to compliance checkboxes anymore. In Singapore, just recently, Coordinating Minister for National Security K. Shanmugam publicly confirmed that the nation’s critical information infrastructure was under a sophisticated, ongoing cyber‑espionage attack by a group identified as UNC3886, a state‑linked advanced persistent threat actor. This marked a rare and deliberate move by Singapore to name the adversary, signaling the severity of the threat and the need for urgency in response.
If the cloud is to be treated as a sovereign asset, then it must be defended with the same seriousness as borders, power grids or financial systems.
If the past year has taught us anything, it is that cloud outages are no longer just about lost emails or stalled product releases. They are about grounded planes, frozen visas, and vulnerable public records.
What is needed is a new model of shared accountability anchored in exposure management. Governments must set the rules, vendors must build secure defaults, and enterprises must operate with continuous visibility into their risks.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
It means adopting exposure management as the operating principle, continuously discovering risks, constantly reducing attack paths, and proving that essential services can survive disruption.
If the cloud is sovereign, then uptime and resilience is the new measure of state power.
Robert Huber is Tenable’s chief security officer and head of Research and President of Tenable Public Sector
