The evolving attack surface of the cloud workspace, driven by shifts away from traditional phishing, necessitates applying established endpoint security frameworks—Posture, Data, and Access—to effectively manage new vectors like OAuth and API keys.
I've noticed a trend with my friends in the security industry. We’re all increasingly worried about attackers moving their efforts to surfaces that were not as popular to target before now. There are different opinions and priorities, of course, but what became clear to me in these conversations is that we all consistently agree: attackers are changing their attacks and moving beyond phishing.
We are experiencing another evolution of the attack landscape. These evolutions happen every few years as our defenses catch up to attacker methods and make those methods less likely to succeed. Attackers do what they do best: evolve. Phishing was so successful for so long because credential theft was effective. If you could convince a target to give you their credentials, you were very likely to complete an account takeover.
That’s not to say phishing isn’t still a problem–it remains a huge attack surface, and still needs protection. But the days where phishing was the only attack vector you had to worry about with your cloud workspace are long gone.
Attacker behavior is evolving (and so is the surface)
Attackers are evolving today in part because we have authentication methods that are pretty much un-phishable. Leveraging the FIDO2 standard and WebAuthN, passkeys are becoming the auth method du jour. They’re not just more secure, but they reduce friction as well, because passkeys are easier for users than passwords. We’re seeing them widely introduced not just by corporate security teams but also consumer-facing services. I have a passkey on my Target account.
The landscape is shifting to surface areas like OAuth, API keys, and Chrome extensions. Account takeover detections are fairly mature now and controls have been productized really effectively, meaning the detections are easy to put in place.
The same can’t be said for OAuth, API keys, and Chrome extensions. These surface areas are harder to manage. Native controls for protecting against abuse aren’t great and it’s hard to detect anomalous behavior that might mean something malicious is going on. Security teams are faced with a decision of limiting what the business can do (the dreaded “slowing down the business”) or accepting the risk of malicious apps so that the business can move quickly. That’s an impossible choice.
Compromising an account via these surface areas is as effective, maybe even more effective, than a traditional account compromise: giving attackers highly privileged, persistent account access that survives even if the account password is reset or passkeys revoked through an attack vector that is often much harder to detect initially. And with the rapid adoption of agentic AI, new attack vectors are emerging, from delegated logins to session manipulation to AI-compromised OAuth tokens.
Security teams trying to wrap their arms around these problems will be well-served by adapting how they think about traditional security frameworks to this new set of problems.
The Three Pillars of Cloud Workspace Security
Meeting attackers where they are moving starts with thinking about the security of your cloud workspace in three major pillars. This is how we approach the problem at Material:
1. Posture: The Foundation of Prevention
Start with thinking about configuration, and this comes down to account settings and policies. Is strong MFA enforced? Can you identify unused accounts, especially service accounts? Strong posture controls help limit the surface areas attackers can leverage to gain access, closing gaps that can lead to unauthorized access.
2. Data: Knowing What’s at Risk
A payroll spreadsheet with a public link is a bad outcome waiting to happen. DLP is a tool that helps your employees stay safe when working with your corporate data, and that means understanding exactly what’s in your employee mailboxes and Drive files, how the data is flowing, and removing stale data that’s no longer being used but still represents an attractive target to the attackers.
3. Access: Real-Time Detection and Response
This is the hardest and most mature pillar. If an employee grants access to an OAuth token that then suddenly touches hundreds of Google Docs, that’s probably not a good thing. You need the ability to almost immediately detect and respond to that behavior in real-time to minimize the impact of an actual incident in your environment.
A Framework You Already Know
Taking a step back and looking at these pillars from a higher altitude, a familiar image starts to emerge. The concepts of posture, data controls, and detection and response all exist today. They exist for a surface that is one of the most mature when it comes to securing things: the endpoint.
These same pillars were problems we had to solve as threats on endpoints evolved over two decades ago. If we accept that the problems we are trying to solve here are similar to what we solved for the endpoint already, then we can naturally start to apply the same endpoint protection framework to the cloud workspace. Let’s walk through exactly what that means:
The category might feel new, but the operational discipline behind it isn't. If you understand how to protect a laptop, you already have the foundational knowledge to protect your cloud workspace.
Scaling Security Without Scaling Headcount
The pressure today on security teams to remain lean is high. Budgets are shrinking, not growing and no more headcount is difficult to attain. Implementing controls while controlling operational headcount is the only path forward. This means that the work associated with securing your cloud workspace must be kept at a minimum. The good news is AI agents can be effective here if used. To be clear, AI is not a silver bullet but a very useful tool in your broader tooling.
- Automated DLP Remediations: Once you know where your sensitive data is, basic DLP policies on sharing or storage of data are easy to implement.
- AI-Assisted Email Threat Triage: Agents are highly effective at evaluating user reported phishing and making a judgement on if it’s actual phishing or something more benign like spam.
- AI-driven App Security Reviews: A barrier to turning on allowlisting of apps is the amount of operational overhead introduced to review apps and the time the business needs to wait before the review is done. Even worse, the app review process becomes performative if the app is never rereviewed or audited to make sure it’s only doing what it says it will do. AI is another multiplier here. Just like with phishing, Agents can review an app request, make a judgement on if it’s malicious or not and then give the requesting employee a verdict in a matter of minutes. Your team only needs to get involved if the Agent can’t come to a conclusion.
- Detection and Response: This is the area of cloud workspace security that requires the most operational and domain maturity. Ingesting alerts from your cloud workspace, enriching them, and then building automated responses has been out of reach for many organizations. Implemented the wrong way, these detections lead to alert fatigue. Again, agents can help review the logs, detect anomalies or IOCs, remediate issues, or escalate to a team member when needed.
By shifting the "unit economics" of security, you can provide comprehensive coverage across your entire cloud workspace environment without burning out your team.
Caution Ahead
We often see organizations make one of two mistakes: they either try to build a custom solution in-house (which becomes a full-time distraction) or they stitch together a "Frankenstein" of ten different point tools.
The third, and perhaps most dangerous, mistake is treating cloud workspace security as a purely theoretical risk—a line item to check off during an annual audit.
Rising to the Challenge
Every generation of our industry has had its moment of adaptation. This is ours. The good news is that we don't need to start from scratch. The frameworks are there, the operational discipline is there, and the technology is ready.
The cloud workspace is the new endpoint. It’s time we started treating it like one.
