Learn cloud security best practices to prevent Account Takeover (ATO) and Artificial Inflation of Traffic (AIT). Practical controls, checklist and real-world guidance.

By Andro Galinović, Chief Information Security Officer, Infobip

Why cloud security matters now

Moving ops and infrastructure to the cloud isn’t some distant roadmap item anymore — it’s the here-and-now. From what I’ve seen over multiple cycles, cloud security delivers the scalability and cost-efficiency teams crave, but it also reshapes the attack surface in ways organisations don’t always expect. Teams that treat cloud migration as a lift-and-shift often only discover the new exposure after an incident — and that’s an expensive lesson.

From fortress to open landscape: what changes

Picture the old on-prem world as a walled city: gates, guards, rules you could point to. The cloud is less a city and more a sprawling borderless landscape — richer opportunities, more moving pieces, and more uncertainty. That mental shift matters. Security in the cloud needs to be layered, distributed, and obsessed with identity and machine-to-machine communication rather than a single perimeter defence.

Key differences to understand

• Perimeter dissolves: It’s less about network fences and more about identity, access and data protection. You won’t block your way out of most cloud problems.
• Shared responsibility: Cloud providers secure the infrastructure, but you’re still on the hook for configuration, data classification and access controls — and I’ve seen misconfigurations bite teams again and again.
• Shadow IT 2.0: SaaS sprawl brings a new generation of unmanaged apps. Discover, assess and control them — or they’ll quietly erode your security posture.

Two major cloud-first threats: ATO and Artificial Inflation of Traffic (AIT)

Two threats are especially pernicious in cloud-first setups: account takeover prevention (ATO) and Artificial Inflation of Traffic (AIT). Both lean on convenience — SSO, SMS OTPs, automated flows — and both can produce outsized financial and reputational damage if left unchecked.

Account Takeover (ATO): the intruder inside

ATO is what happens when attackers live in your environment as legitimate users. No fancy zero-days required: reused credentials, credential stuffing and lack of multi-factor authentication are the usual culprits. Once inside, they can exfiltrate data, initiate transactions or pivot laterally.

Real-world impact: These aren’t hypothetical. ATOs translate into direct monetary loss, long remediations, and regulatory headaches. Industry reporting projects account takeover losses into the billions annually — and that track record should make you uncomfortable, not complacent.

Artificial Inflation of Traffic (AIT): the hidden drain

AIT is a quieter, nastier cousin: automated traffic that looks like real user behavior but exists solely to trigger chargeable events — think repeated OTP sends, fake sign-ups that trigger messages, or scripted activity that forces outbound costs. Attackers can even collude with rogue operators or abuse intermediaries to monetize the traffic. The result? Unexpected bills and a fiddly forensic mess. Juniper Research has put enterprise losses in this area in the billions — and again, that’s money that disappears while you’re still asking what happened.

Core controls to reduce cloud risk

Defending cloud-first environments is not a single magic switch. It’s layers. Practical, prioritized controls — the ones I push first when advising teams — tend to deliver the biggest, fastest wins.

1. Enforce strong, context-aware authentication

• Adopt multi-factor authentication (MFA): Prefer app-based authenticators, hardware keys or risk-based MFA. MFA best practices matter — SMS-only is a stopgap — usable, but brittle.
• Implement single sign-on (SSO) with federation: Centralise identity with Google, Microsoft, Okta or similar and keep policies unified.
• Apply risk-based access: Step-up authentication for unusual logins (odd geos, new devices, weird times). It’s not 100% perfect — nothing is — but it stops a lot of automation and opportunistic attackers.

2. Use Zero Trust principles

Assume nothing is implicitly trusted. Zero Trust cloud isn’t a product; it’s a mindset: continuous verification, least privilege, and micro-segmentation around resources and APIs. When you start thinking in identities and signals instead of walls, you catch a different class of problems.

3. Monitor traffic and detect anomalies

Real-time monitoring — ideally ML-driven — is how you spot AIT and similar fraud early. Watch for spikes in OTP requests, sudden jumps in message volumes, or bursts of account creation. Put automated throttles and circuit-breakers in place; you want systems that act before humans are processed into panic mode. For implementation patterns and tooling, see this related discussion on traffic anomaly detection.

4. Secure APIs and M2M communication

• Rotate and protect API keys; never leave secrets in public repos. I still see this in audits — and it’s avoidable. Practical guides on API security are helpful when building operational checklists.
• Restrict API access with IP allowlists, geofencing and narrowly scoped credentials.
• Log and audit machine-to-machine calls. M2M is where attackers hide: detailed telemetry makes the difference in detection and post-incident analysis.

5. Vendor and third-party risk management

Cloud ecosystems multiply dependencies. Have a vendor assessment workflow that checks security posture, compliance and incident response. Vendors secure infrastructure but you own configuration and data protection — keep that contractual and operational reality front-and-center.

Building a security-first culture

Tech helps, but people are your true frontline. Social engineering and careless credential sharing can nullify the best tech controls. Invest in short, practical training; run phishing simulations; make reporting frictionless. Tiny, frequent nudges beat one long training once a year. Trust me — micro-learning sticks better.

An example: mitigating a simulated AIT attack

Here’s a workshop scenario I use that tends to spark good discussion: a retail app shows an 8x spike in OTP requests inside half an hour. Smart monitoring flags it, rate-limits the OTP flow and triggers a triage. The team finds a botnet targeting a promo sign-up flow. Tactics that worked: throttling requests, blacklisting known bad IP ranges, and adding a CAPTCHA for high-risk sign-ups. Outcome: cost escalation halted, abuse vector closed in hours. Simple? Yes. Effective? Absolutely. And it reminded the team how small changes can have outsized effects.

Practical checklist for immediate action

• Enable MFA for all accounts; remove SMS-only MFA where feasible.
• Centralise identity with SSO and enforce clear role-based access controls.
• Deploy anomaly detection for messaging and authentication traffic.
• Protect and rotate API keys; audit repository secrets regularly.
• Run phishing simulations and quarterly security refreshers for staff.
• Implement vendor security reviews and formal shared-responsibility agreements.

Where to learn more

If you want numbers to build a business case, industry reports and aggregated stats are useful — Juniper Research on fraud costs or sector trend trackers are decent starting points. These resources help when you’re modelling risk and justifying spend. (Yes, you’ll need the receipts when you talk to finance.) [Source: Juniper Research, VPN Ranks]

Final thoughts: security as an enabler

The cloud isn’t the enemy — it’s a platform for speed and innovation. The trick is to pair that opportunity with pragmatic, layered security. From what I’ve observed, organisations that put identity-first controls, continuous monitoring and a security-aware culture in place move faster and with less drama. Iterate. Be proactive. And never confuse convenience for security — that’s where the surprises live.

If you’d like a hands-on demo of traffic anomaly detection and response, check out Infobip’s Signals platform which outlines capabilities to detect and block suspicious activity: Infobip Signals.