The 2024 Snowflake-customer-credential-attack campaign compromised approximately 165 multi-tenant cloud-platform customers — exposing hundreds of millions of records. EU NIS2 designates cloud, content delivery networks, and trust services as "essential entities". Average breach cost in technology industries reached USD 9.36M in 2024. PULSE engineers cloud and data centre infrastructure in which the operator does not hold customer data in any form recoverable by the operator.
Cloud and data centre operators occupy a position in the global cybersecurity threat landscape that is, in important respects, foundational. The hyperscale cloud providers — AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud, Alibaba Cloud — host the computational, storage, and networking infrastructure on which essentially every other industry now depends. The colocation and managed-data-centre operators — Equinix, Digital Realty, NTT, KDDI Telehouse, and others — host the physical infrastructure underlying both the hyperscalers and direct-customer deployments. The cybersecurity posture of this layer is the cumulative cybersecurity exposure of the contemporary economy.
The 2024 Snowflake-customer-credential-attack campaign is the definitive recent illustration of multi-tenant exposure. Mandiant tracked UNC5537 / ShinyHunters compromise of approximately 165 Snowflake customer accounts via stolen credentials harvested from infostealer malware — Snowflake itself was not compromised, but the customer-side configuration weaknesses (missing MFA, dormant accounts, stolen credentials dating to 2020) produced exposure of hundreds of millions of records. The "shared responsibility model" — in which the cloud or SaaS provider is responsible for the security of the platform, and the customer is responsible for the security of what runs on the platform — produced predictable failure when applied to customers without resources or expertise to fulfill their portion of the model. [01]
The 2023 Microsoft Exchange Online compromise by China-affiliated Storm-0558 (later determined by the US Cyber Safety Review Board to have been preventable through better Microsoft security practices) exemplifies a different category of exposure: the cloud provider itself is the breach point, and the consequence propagates to every customer of the affected service. The 2024 Microsoft Midnight Blizzard / APT29 disclosure of compromise of senior Microsoft executive email accounts via password-spray attack demonstrated the same pattern continuing.
For data centre operators specifically, the 2024 incident catalogue includes both cybersecurity events (breach disclosures by colocation providers) and availability events (regional power and cooling failures producing extended customer outages). The structural concentration of digital infrastructure into a small number of hyperscale and colocation operators produces concentration risk that — in the event of an adversary willing to absorb the consequence of attacking infrastructure on which the global economy depends — would be strategically significant.
The same vectors recur: identity-provider compromise affecting cloud customers downstream; tenant-isolation failures (rare but consequential when they occur); physical-infrastructure exploitation including foreign-manufactured equipment risk; and availability-class events from concentrated cloud-region dependencies.
The 2024 Snowflake campaign and the 2023 Okta breach both exemplify identity-layer compromise propagating to customer-side data. AWS IAM, Azure AD / Entra ID, and Google Cloud IAM are the corresponding identity layers for hyperscale-cloud customers — and identity-layer compromise produces cross-cloud-customer consequence.
Multi-tenant cloud platforms maintain tenant-isolation through hypervisor-, container-, and process-level boundaries. Disclosed tenant-isolation failures are rare but consequential — the 2021 ChaosDB Azure Cosmos DB exposure and 2022 OMIGOD Azure exposures established that isolation failures occur at scale. The hyperscalers maintain bug-bounty and disclosure programmes for this reason.
CISA, NSA, and FBI have warned about foreign-manufactured hardware embedded in US critical infrastructure including data centres. The same considerations applying to PRC-manufactured ship-to-shore cranes apply to foreign-manufactured network equipment, server hardware, and management controllers in data centres.
Major-region availability events at AWS us-east-1, Azure regions, and GCP regions produce immediate cascading consequence to customers without multi-region or multi-cloud deployments. The 2024 incident calendar includes multiple such events. Availability-class concentration is a separate category of exposure from confidentiality-class breaches.
The EU NIS2 Directive (effective 18 October 2024) explicitly designates cloud-computing services, content delivery networks, DNS, TLD registries, and trust services as "essential entities" — the highest tier of cybersecurity-governance and incident-reporting obligations. Data-centre service providers are designated as "important entities" under the same directive. The Digital Operational Resilience Act (DORA, applicable from January 2025) imposes specific obligations on critical-third-party ICT providers serving EU financial entities, with the European Supervisory Authorities holding direct supervisory authority over designated critical providers.
The US FedRAMP (Federal Risk and Authorization Management Program) provides the cybersecurity baseline for cloud services used by US federal agencies. The DoD Cybersecurity Maturity Model Certification (CMMC) program imposes parallel requirements for cloud providers handling Controlled Unclassified Information for the Department of Defense. The CISA Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) — when its final rule takes effect — will impose 72-hour reporting obligations on covered cloud and information-technology providers.
The UK Cyber Assessment Framework (CAF) applies to cloud and data centre operators of essential services under the UK NIS Regulations. The Australian Government Cloud Security Guidance and the Information Security Manual (ISM) provide the controls baseline for Australian government cloud deployments, alongside SOCI Act 2018 obligations for designated critical-data-storage operators.
For Singapore, the Cyber Security Agency (CSA) operates a Code of Practice for Designated Critical Information Infrastructure that applies to cloud and data centre operators. Hong Kong and Japan operate parallel frameworks. The progressive convergence of regulatory expectations across jurisdictions reflects the structural reality: the customers of cloud and data centre operators are global, the consequence of breaches is global, and the regulatory response has had to become global.
Cloud and data centre cybersecurity is the only domain where the institution's exposure is the cumulative exposure of every customer's data, every customer's operations, and every customer's customer's dependency.
The defining structural exposure of cloud and data centre cybersecurity is operator-side custody of customer data. In conventional architectures, the cloud provider necessarily has access to customer data — for purposes of providing the service, for purposes of maintenance and operations, for purposes of fulfilling lawful-government-access requirements, for purposes of platform-administration. This necessary access creates the corresponding necessary attack surface: a sufficiently sophisticated adversary who compromises the operator obtains potential access to the data of every customer the operator serves.
A cloud or data centre operator running PULSE substrate does not hold customer data in any form recoverable by the operator. Customer A's data is held in a form that is accessible to Customer A for the operations Customer A authorises and to no other party — including the cloud or data centre operator itself, including the cloud-platform host, including any subsequent compromise of any infrastructure component owned, operated, or relied upon by the operator. Lawful-government-access requirements are satisfied through architectural commitments that produce correctly executed lawful access while preserving the operator's structural inability to disclose customer data outside that lawful-access framework.
The shared-responsibility model is not eliminated; it is rebalanced. The operator's portion of the model is satisfied at the architectural level rather than at the control-overlay level. Customer-side configuration failures (missing MFA, weak credentials, dormant accounts) cannot produce the bulk-data-exfiltration consequence that drove the 2024 Snowflake campaign because the bulk customer-data corpus is architecturally absent from the platform. The means is the trade secret. We disclose it under executed Mutual Non-Disclosure Agreement only.
Architectural-fit assessment for hyperscale cloud provider, sovereign-cloud provider, colocation operator, managed-data-centre provider, and edge-cloud scenarios. Quantified operator-side residual-disclosure model under PULSE substrate. Cross-jurisdictional regulatory alignment matrix (EU NIS2 / EU DORA / FedRAMP / FedRAMP High / CMMC / UK CAF / Australia SOCI / Singapore CSA Code of Practice / Japan ISMS-CLS). Reference architecture for multi-tenant data substrate, lawful-access fulfilment, and cross-region data residency.
Available under executed NDA →All statistics on this page are drawn from publicly available reports issued by recognised industry bodies, regulators, and security research organisations. References are listed below for verification.
PULSE Digital Security cites these sources for context only. Citation does not imply endorsement of, or affiliation with, any cited organisation. All trademarks remain the property of their respective owners.