Security and compliance in the Cloud: why businesses are repatriating sensitive data
For years, cloud-first strategies dominated IT roadmaps, promising agility, scalability, and cost efficiencies. However, a new trend is emerging: cloud repatriation. Increasingly, organisations are pulling sensitive workloads back from public clouds to private environments, citing security, compliance, and cost concerns.
Interactive cybersecurity expert, David Dowling, notes that “the pendulum has swung back from a cloud-first mindset to a workload- and data-first approach. This allows organisations to focus on the correct workload for the data type due to public cloud prices and difficulty in forecasting cloud spend. This has parallels with history with virtualisation over a decade ago.”
This shift is driven by growing regulatory pressures, the rising cost of compliance, and the realisation that businesses must regain control over their most critical asset—data.
Hidden security risks of public cloud
While public cloud providers offer robust security measures, they cannot fully protect against one of the biggest threats: information disclosure. Dowling highlights that threat actors don’t care whether data is in production or non-production environments; all they want is access to sensitive information they can leverage for extortion.
“The biggest security risks faced by organisations when storing sensitive data in public cloud environments is Information Disclosure (the I in the STRIDE model), particularly when Analytic or Dev teams take production data and move it into dev or test environments.
“Unfortunately threat actors don’t care if sensitive data is stored in test or Dev environments and this is why the use of controls like data masking is a useful tool to allow devs to do their jobs with fictional yet realistic data. Storing sensitive data on-premise or in private cloud environments does reduce the likelihood of Information Disclosure mainly through better controls.”
A major risk occurs when analytics or development teams move production data into test environments without proper safeguards. “The Uber breach is a perfect example,” Dowling explains.
"Production data in a non-production environment was exploited, leading to significant exposure. This is why controls like data masking are critical to ensuring developers work with realistic yet fictional data."
At the same time, security teams often struggle with visibility. “The real challenge for security teams is understanding where all your critical data resides and who has access to it—especially third parties,” says Dowling. Without this fundamental knowledge, organisations remain vulnerable, regardless of where their data is stored.
Regulatory pressures and the compliance cost equation
As regulatory requirements tighten worldwide, businesses are realising that compliance in the public cloud can be an expensive and complex undertaking. “Cost is actually a major driver behind compliance decisions,” Dowling notes.
Take the Payment Card Industry Data Security Standard (PCI DSS) as an example. “The larger the scope of a Cardholder Data Environment (CDE), the higher the cost of compliance. By moving workloads into private cloud environments, businesses can shrink their scope and control compliance costs.”
For government agencies handling classified data, repatriation simplifies compliance. “Australian government entities dealing with ‘protected’ data find it much easier to maintain consistency across their entire environment in a private cloud setup,” says Dowling.
“Private cloud allows for smaller scope and easier adherence to compliance requirements due to smaller scope.”
Beyond cost, CISOs are grappling with cloud sprawl—an explosion of uncontrolled cloud workloads across multiple environments. “Cloud repatriation allows organisations to consolidate sensitive data into smaller, more secure environments, making compliance and security management far more effective.”
Security challenges in cloud repatriation
Bringing data back from the cloud is not without risk. One of the biggest concerns is enabling secure access for trusted third parties. “Threat actors are actively targeting remote access to private cloud environments,” warns Dowling. “In 2024, the Australian Cyber Security Centre (ACSC) released 15 Critical Security Advisories—six of them related to proxies and remote connectivity software. Threat actors are actively targeting remote access to private cloud environments.”
To mitigate this risk, organisations must adopt modern security solutions. “Using private access products can help secure third-party access while enforcing session-based controls on the type and amount of data being accessed,” Dowling advises. “And of course, Zero Trust principles should be the foundation of any access strategy.”
Striking the balance: security, agility, and compliance
For businesses aiming to balance cloud flexibility with security and compliance, Dowling suggests taking a step back. “Start with the business,” he says. “If you’re familiar with SABSA (Enterprise Security Architecture), you know that it all begins with the contextual layer—business needs drive security decisions.”
A common pitfall is confusing security with compliance. "A CEO will never say, ‘We need to buy a VPN.’ They will say, ‘We need to be more agile or reduce costs.’ Security leaders must translate these business goals into actionable security strategies."
One key practice is maintaining traceability from business objectives to technical controls. “For example, if the business wants to control costs, a logical step might be moving workloads into a private cloud to prevent unpredictable cloud bursts. Every security and compliance decision must be tied to a business outcome.”
Different industries also have different security challenges. “State governments and retail sectors have much smaller security budgets than finance and federal agencies. They need to maximise every dollar spent, making cloud repatriation an attractive option for cost-effective security.”
Long-term outlook: A workload-first future
Is cloud repatriation just a short-term response to current security concerns, or is it a long-term shift? According to Dowling, “Organisations are realising that their data is the product being sold. AI is accelerating this realisation. Companies are now asking, ‘Where is our most important data? Who has access to it? How do we better secure it?’”
Cloud strategies are no longer one-size-fits-all. “The industry is moving from a cloud-first mindset to a workload- and data-first approach. Businesses are making strategic decisions about which workloads belong in the cloud and which are better suited for private environments.”
Looking ahead, vendor selection will be critical. “Companies need to carefully assess whether vendors align with their private cloud strategy and the wider ecosystem.”
Final thoughts
Cloud repatriation is not about abandoning the cloud—it’s about making smarter, more strategic decisions about data placement. “The key takeaway is simple,” Dowling concludes. “Understand where your critical data is stored, who has access to it, and how you can best secure it. Whether that means keeping certain workloads in the cloud or bringing them back on-prem, the ultimate goal is to protect the business.”
As security and compliance pressures continue to mount, businesses that proactively rethink their cloud strategy will be the ones best positioned to navigate the evolving digital landscape.
