Mission Cloud: Fully Secure

Ever watched Tom Cruise in Mission: Impossible? Villains and secret agents wear masks, impersonate others and blend in seamlessly. For Baggenstos, a very real mission is securing cloud infrastructures — provided configurations are reviewed on a regular basis.

You don’t need to be a secret agent. At Baggenstos, alarm bells start ringing figuratively speaking when a customer’s database suddenly becomes publicly accessible on the internet. What may seem practical from a developer’s home-office perspective quickly turns into a nightmare for cybersecurity teams — and an open attack surface for digital crime.

Dormant Attack Surface

One incorrect tick here, one faulty entry there: according to Microsoft, over 80 per cent of all attacks are caused by cloud infrastructure misconfigurations. A silent epidemic, so to speak. Security misconfigurations rank second in the OWASP Top Ten 2025. The figures are alarming: 23% of all cloud security incidents result from misconfigurations, with human error being the root cause in 82% of cases.

Hackers are logging in — increasingly targeting Identity and Access Management (IAM) to take over legitimate accounts. According to Microsoft’s own Digital Defense Report, weak or missing identity controls are now the leading cause of compromises.

Depending on the service provider agreement, customers often retain partial responsibility for secure operations. In day-to-day practice, however, security concerns are frequently sacrificed for convenience, resulting in configurations that should never be permitted from a security standpoint. In his daily work, Baggenstos CTO Eckhard Neuhaus repeatedly encounters the same issues: publicly exposed endpoints, over-privileged roles and incorrect permission assignments.

Close to the Customer, Precise in Analysis

«A problem that must be addressed consistently through clear processes», says the CTO. Baggenstos’ strategy is built on two pillars «secure configuration» and continuous monitoring. Automation and clear policies reduce the risk of human error. Permissions, for example, should be granted and revoked dynamically rather than assigned permanently. Highly privileged access requires an approval workflow.

Baselines or reference values based on established frameworks define the target state, while deviations are continuously monitored. Baggenstos uses several tools for this purpose, including the Microsoft Defender Suite with Secure Score as a core component, as well as Darktrace / Cloud for real-time alerts in case of policy violations. «Cloud misconfigurations are not purely a technical issue», Eckhard Neuhaus emphasises. This is where the Baggenstos team’s close relationship with customers proves invaluable.

Through in-depth workshops, organisations are assessed for weaknesses across their IT infrastructure and underlying processes. Understanding how people work and how processes function enables the right decisions when designing a cloud security architecture. «Security has to be lived», says Eckhard Neuhaus. «It can be uncomfortable at times — but with the wrong configuration, a seemingly productive solution can quickly turn into a cybersecurity nightmare.»