But maintaining that trust is becoming difficult today. Hackers are no longer just trying to crack your firewalls. Instead, they are simply logging in using stolen information.
A 2026 Google Cloud report shows that hackers used identity and login issues to break into systems in 83% of major cloud and software hacks.
As multi-tenant clouds host multiple businesses on the same physical hardware, a single compromised identity can put the entire neighborhood at risk. To keep your clients safe, you must treat identity as your primary security boundary.
Below are a few tips to help you secure your multi-tenant cloud against modern identity attacks.
1. Conduct Regular Security Assessments
Turning on security tools doesn’t mean you’re safe forever. As your business grows and adds new users or software, your security settings can accidentally slip and leave doors open.
A security assessment involves looking at every single corner of your system to find weak spots before a hacker does. You need to check who has the master keys. In the tech world, we call these admin accounts. If an admin account has a weak password or an old setting, your entire system is at risk.
When you run these checks, focus heavily on permissions. Check for over-privileged users, meaning those who have access to more than they need. Audit inactive accounts. Attackers often exploit these to gain undetected network access.
Microsoft 365, which has over 430 million users, is also a prime target for hackers. Valuable data needs to be protected by eliminating weak passwords and closing publicly exposed files. A professional
Microsoft 365 security assessment
helps you find these hidden dangers.
According to IT Weapons, Microsoft 365 security and protection sets up the best security rules and settings to protect your company’s data. It scans your setup to find out who has access to what and gives you a clear checklist of what to fix first.
2. Enforce Strong Multi-Factor Authentication Everywhere
Passwords cannot protect you on their own anymore. Hackers can guess passwords, steal them, or buy them on the dark web. That is why you need
multi-factor authentication.
It means a user must prove their identity in two or more ways before they get in.
Skipping multi-factor authentication (MFA) leaves your business highly vulnerable to phishing, password spraying, and password reuse. In fact, Microsoft reports that over 99.9% of compromised accounts lacked MFA.
The strongest way to protect your identity is with phishing-resistant MFA. It is the only type of security setup where hackers cannot trick users into surrendering their credentials.
Instead of typing a text code, users rely on an app like Google Authenticator or Microsoft Authenticator. Even better, they can use a physical USB key, like a YubiKey. These tools use special math and codes that stay on the device. Hackers cannot steal them, even if they trick your user.
As the cloud owner, you must make MFA mandatory. Do not let individual tenants turn it off because they think it takes too much time. A single weak user in one tenant’s group can put the whole cloud network at risk.
3. Eliminate Legacy Authentication and Weak Trust Relationships
Old protocols like IMAP, POP3, SMTP AUTH, or basic auth for Office clients don’t support MFA or modern controls. That makes them prime targets for password sprays, brute force, and
credential stuffing.
Microsoft notes that 97%+ of credential stuffing and 99% of password sprays use legacy methods. In multi-tenant clouds, weak trust relationships, such as overly broad federation or stale service principals, can let attackers pivot between tenants.
As former CISA Director Jen Easterly highlighted at the IMPACT 25 conference, the core issue has shifted from typical malware to the exploitation of system dependencies.
“Abuse of trust, not malware, is the modern attacker’s playbook. Every identity — human or machine — is now a potential attack vector.”
Block legacy protocols. In Microsoft 365 and Entra, use conditional access policies to deny legacy authentication. Similar controls exist in other clouds. Monitor for usage first, then enforce.
Review federated identities, cross-tenant access, and API trusts. Eliminate dormant ones, and use just-in-time access and automated revocation.
Adopt modern standards. Favor OAuth 2.0 with PKCE, OpenID Connect, and short-lived tokens. Implement certificate-based authentication or device-bound sessions where possible. This might feel disruptive at first, but phased migration with testing minimizes impact.
FAQs
1. What is a cloud identity attack?
This happens when cybercriminals steal or spoof employee login credentials. Rather than bypassing your security system, they simply use valid accounts to log in and access sensitive data undetected.
2. How do hackers bypass basic multi-factor authentication?
They use trick emails to steal active login keys. Or they flood a worker’s phone with alerts until the tired user clicks “Approve” by mistake.
3. What is the biggest risk of a multi-tenant cloud?
The biggest danger is data bleeding between accounts. If a hacker gains access to one company’s space, they might find a loophole to steal another company’s files.
Key Statistics
| Statistic | What It Means |
|---|---|
| 83% | The percentage of major cloud and software hacks caused by identity and login issues. |
| 430 Million+ | The number of people who use Microsoft 365, making it a major target for hackers. |
| Over 99.9% | The percentage of hacked accounts that did not have Multi-Factor Authentication enabled. |
| 97%+ | The percentage of credential stuffing attacks that use old, legacy login methods. |
| 99% | The percentage of password spray attacks that rely on legacy login methods. |
Conclusion
Managing a multi-tenant cloud is a big responsibility. You are not just protecting your own files and data. You are protecting the livelihoods of every single tenant who trusts you to keep them safe.
Attackers create new tricks every day. But if you follow these three steps, you make their job almost impossible.
Check your system often. Stop using text codes for MFA and upgrade to smart authenticator apps or keys. Finally, block all old login methods, so hackers cannot sneak past your guard.

