Decentralized Data Risks: How Cloud Sprawl is Changing the Game for CISOs
Insights

Managing cloud sprawl has become increasingly difficult for CISOs and their data teams. With sensitive information spread across multiple cloud providers, dozens of SaaS tools, shadow IT environments, and new AI pipelines duplicating data for training and analysis, keeping track of it all can seem like an uphill task. Even the most prominent organizations aren’t safe.
A recent example highlighting the complexity of managing cloud sprawl is the Hertz Corporation breach, which was disclosed in April 2025. Attackers exploited zero-day vulnerabilities in a third-party file transfer platform used by Hertz, Dollar, and Thrifty, leading to the exposure of sensitive data for over a million individuals. The compromised information included names, contact details, dates of birth, credit card numbers, driver’s licenses, and even government IDs and medical information for some.
This incident underscores how organizations with data spread across multiple vendors and cloud environments can struggle to maintain visibility and control, especially when third-party tools are involved in their workflows.
As data spreads across more environments, traditional security tools aren’t keeping up. Visibility is fragmented. Remediation is manual. And the risks, from unauthorized access and data leaks to compliance violations and breach escalation, are more daunting than ever.
To stay ahead, CISOs need centralized visibility into their data and decentralized enforcement at the source. This article breaks down why that model matters, where traditional data security tools fall short, and how to regain control in a multi-cloud and hybrid world.
Cloud and Hybrid Sprawl Is the New Norm, and It’s Breaking Data Security
Cloud and hybrid sprawl have become the default for modern enterprises. As teams rapidly adopt new tools and expand their tech stacks to stay competitive, they spin up new environments and duplicate data across systems. It’s a tradeoff that often feels necessary to support growth, analytics, and AI development and adoption.
However, as data continues to spread, security teams are left chasing shadows without unified visibility or control. Cloud sprawl, hybrid infrastructure, developer autonomy, regulatory complexity, and AI/ML workloads all contribute to a fragmented data landscape where no single team has complete oversight. Sensitive data ends up scattered across hundreds of systems, many of which are invisible to central security teams.
And as new tools are added, legacy systems rarely get fully decommissioned. They keep storing critical data but sit outside the scope of active monitoring and enforcement. That’s where blind spots form and where attackers find opportunity. This growing overlap between modern cloud infrastructure and aging on-prem systems creates a patchwork of environments with inconsistent controls, fragmented ownership, and varying levels of risk exposure.
In environments like these, assuming that data is protected just because it lives behind a login or inside a trusted tool is a risky bet. To secure it, organizations need unified visibility and actionable control. But getting there is harder than it sounds, and there are a few reasons why.
Challenges in Securing Multi-Cloud and Hybrid Environments
Security teams are dealing with growing attack surfaces, fragmented visibility across tools, multiple cloud environments, and mounting pressure to prove compliance in systems they don’t fully control. These challenges define the new reality of securing data across an organization.
Increased Attack Surface
Every new tool, cloud environment, or integration introduces risk. As sensitive data flows between environments, often duplicated or transformed along the way, attack surfaces grow in ways that are hard to see, let alone control. A misconfigured S3 bucket, an over-permissioned SaaS app, or an unmonitored legacy database can all become entry points for attackers.
According to Microsoft’s 2024 State of Multicloud Security Report, more than half of surveyed organizations were exposed to at least one attack path in 2023, with the average data footprint containing 351 attack paths. These attack paths often result from internet exposure and insecure credentials, leading to potential compute abuse, data exposure, and credential compromise.
To address these attack paths, security teams need solutions that continuously discover sensitive data across every environment: cloud, SaaS, and on-prem. These solutions need to go beyond point-in-time scans and CSV exports. They need to provide a unified, real-time map of where sensitive data lives, how it flows, and where it’s at risk. That’s the first step toward reducing exposure before it becomes a problem.
Complexity in Visibility and Control
Legacy data security tools weren’t built for today’s fragmented environments. Most offer siloed visibility: one dashboard for cloud storage, another for SaaS applications, and yet another for on-prem systems. Stitching these insights together takes time and manual effort, which delays response times and increases the risk of missed threats. That’s part of the reason why only 22% of organizations can respond to cloud breaches in under 60 minutes.
Security teams need a centralized way to understand their data posture across cloud, SaaS, and on-prem environments. One control plane with consistent insight, no matter where the data lives. That kind of visibility enables faster detection, smarter prioritization, and tighter control.
Compliance Gaps
Fragmented data environments make compliance a moving target. Without comprehensive visibility into where sensitive data resides, how it’s accessed, and who controls it, organizations are vulnerable to policy violations, data residency issues, and audit failures, all carrying significant financial and legal repercussions.
A 2023 report by Veritas reinforces this risk, with 46% of organizations naming data security — including ransomware, data loss, and data theft — as their top concern. These aren’t just theoretical risks: 40% said such threats have already caused the most financial and reputational damage to their organizations.
To address compliance proactively, security teams require solutions that detect regulatory risks — such as access misconfigurations and policy violations — and remediate them at the source.
The Key to Multi-Cloud and Hybrid Security? Centralized Visibility and Decentralized Enforcement
Securing sensitive data across fragmented environments requires a shift in how teams approach the problem. Centralized visibility paired with decentralized enforcement has emerged as the most effective model for securing data at scale.
This approach is exactly what it sounds like: maintain a single, unified view of sensitive data across all environments and enable enforcement to happen where the data lives. It’s about knowing what’s at risk and giving teams the ability to fix issues quickly without needing to route every action through a central security team.
And it works. Here’s how:
- Less redundant work across siloed security teams: With centralized data visibility, security teams aren’t completing work in silos. They’re working from a shared, accurate view of the organization’s entire data footprint. This eliminates the need for constant cross-team syncs, overlapping tools, or redundant playbooks.
- Consistent enforcement of policies across environments: Without a centralized control plane, every environment becomes its own island, with its own rules and exceptions. When enforcement is decentralized but policy is unified, teams get the best of both worlds: consistency and speed. Security teams can define rules once and push them everywhere, ensuring no environment gets left behind.
- Accelerated response to incidents, privacy requests, and audits: Centralized visibility empowers security teams to instantly locate sensitive data and assess exposure. Decentralized enforcement means they can take action directly within the systems that matter, no ticketing backlog or approval bottlenecks required.
- Reduced manual burden on security and compliance teams: Security teams don’t have to chase down other teams or manually patch every gap. With automated enforcement and clear ownership, remediation becomes a shared responsibility.
For organizations navigating complex multi-cloud and hybrid systems, this model is the preferred method to scale data protection without burning out the security team or introducing operational bottlenecks.
How Teleskope Empowers CISOs to Secure Their Data Footprint
Teleskope unifies discovery and classification across cloud and data environments, no matter how distributed it is. The platform continuously scans structured and unstructured data across major cloud providers, SaaS platforms, and on-prem systems without requiring data movement.
Whether it’s a Snowflake warehouse, a Google Drive folder, or a legacy file server, Teleskope detects and classifies sensitive data in real time. Its AI-powered classification engine is built to handle real-world complexity: identifying PII, PHI, financial data, source code, and more across various formats, schemas, and languages. This enables security teams to maintain an always-updated inventory of where sensitive data lives, how it’s flowing, and who has access.
That visibility feeds into intelligent, policy-driven automation. Teleskope can remediate issues at the source: revoking access, quarantining exposed files, deleting stale data, or flagging high-risk movement for review. These actions can be automated or routed through the right owner, striking the ideal balance between speed and control.
The Atlantic, for example, used Teleskope to dramatically reduce the time and effort required to fulfill data deletion requests. Instead of relying on manual lookups across fragmented systems, their team now automatically identifies and removes user data across their environment, cutting time spent on deletion workflows by 95%. That kind of operational efficiency supports compliance and frees up privacy and security teams to focus on higher-value work.
In a world where decentralization is accelerating, Teleskope gives security teams and CISOs the clarity to know where data is vulnerable and the control to fix it quickly without creating operational drag.
Decentralized Data Demands Centralized Intelligence
Data decentralization isn’t going away. If anything, it’s accelerating, driven by the needs of fast-moving teams, evolving business models, and new data-hungry technologies. But the more fragmented your data becomes, the more unified your visibility and control need to be.
You can’t solve decentralized problems with decentralized tools. Today’s security teams and CISOs need centralized intelligence: a way to see across their entire data estate, understand what’s at risk, and act quickly without slowing teams down.
That’s the philosophy behind Teleskope. The platform brings together continuous discovery, automated remediation, and proactive prevention into a unified platform built for modern cloud environments.
Book a call to see how Teleskope can bring clarity and control to your data security strategy.
Introduction
Kyte unlocks the freedom to go places by delivering cars for any trip longer than a rideshare. As part of its goal to re-invent the car rental experience Kyte collects sensitive customer data, including driver’s licenses, delivery and return locations, and payments information. As Kyte continues to expand its customer base and implement new technologies to streamline operations, the challenge of ensuring data security becomes more intricate. Data is distributed across both internal cloud hosting as well as third party systems, making compliance with privacy regulations and data security paramount. Kyte initially attempted to address data labeling and customer data deletion manually, but this quickly became an untenable solution that could not scale with their business. Building such solutions in-house didn’t make sense either, as they would require constant updates to accommodate growing data volumes which would distract their engineers from their primary focus of transforming the rental car experience.
- list
- list
- list
- list
Continuous Data Discovery and Classification
In order to protect sensitive information, you first need to understand it, so one of Kyte’s primary objectives was to continuously discover and classify their data at scale. To meet this need, Teleskope deployed a single-tenant environment for Kyte, and integrated their third-party saas providers and multiple AWS accounts. Teleskope discovered and crawled Kyte’s entire data footprint, encompassing hundreds of terabytes in their AWS accounts, across a variety of data stores. Teleskope instantly classified Kyte’s entire data footprint, identifying over 100 distinct data entity types across hundreds of thousands of columns and objects. Beyond classifying data entity types, Teleskope also surfaced the data subjects associated with the entities, enabling Kyte to categorize customer, employee, surfer, and business metadata separately. This automated approach ensures that Kyte maintains an up-to-date data map detailing the personal and sensitive data throughout their environment, enabling them to maintain a structured and secure environment.
Securing Data Storage and Infrastructure
Another critical aspect of Kyte’s Teleskope deployment was ensuring the secure storage of data and maintaining proper infrastructure configuration, especially as engineers spun up new instances or made modifications to the underlying infrastructure. While crawling Kyte’s cloud environment, Teleskope conducted continuous analysis of their infrastructure configurations to ensure their data was secure and aligned with various privacy regulations and security frameworks, including CCPA and SOC2. Teleskope helped Kyte identify and fortify unencrypted data stores, correct overly permissive access, and clean up stale data stores that hadn’t been touched in a while. With Teleskope deployed, Kyte’s team will be alerted in real time if one of these issues surfaces again.
End-to-End Automation of Data Subject Rights Requests
Kyte was also focused on streamlining data subject rights (DSR) requests. Whereas their team previously performed this task manually and with workflows and forms, Kyte now uses Teleskope to automate data deletion and access requests across various data sources, including internal data stores like RDS, and their numerous third-party vendors such as Stripe, Rockerbox, Braze, and more. When a new DSR request is received, Teleskope seamlessly maps and identifies the user’s data across internal tables containing personal information, and triggers the necessary access or deletion query for that specific data store. Teleskope also ensures compliance by automatically enforcing the request with third-party vendors, either via API integration or email, in cases where third parties don’t expose an API endpoint.
Conclusion
With Teleskope, Kyte has been able to effectively mitigate risks and ensure compliance with evolving regulations as their data footprint expands. Teleskope reduced operational overhead related to security and compliance by 80%, by automating the manual processes and replacing outdated and ad-hoc scripts. Teleskope allows Kyte’s engineering team to focus on unlocking the freedom to go places through a tech-enabled car rental experience, and helps to build systems and software with a privacy-first mindset. These tangible outcomes allow Kyte to streamline their operations, enhance data security, and focus on building a great, secure product for their customers.


from our blog