Identity Protection in Managing Access to Public Cloud Services: Lessons from Phishing Simulation Tests

Digital identities have become an integral component of using online services in both personal and professional contexts. They constitute the primary mechanism for authenticating access to cloud computing services, where confidential information is often processed. Unauthorized access to such data can result in severe financial, operational, and reputational consequences, making digital identities one of the main targets for cybercriminals. The increasing number of incidents involving compromised identities highlights the need to adopt more effective protection methods. Despite the growing number of publications on cybersecurity, existing research offers limited examination of the relationship between the effectiveness of phishing attacks and the protection of digital identities in public cloud services. As part of this study, a series of controlled phishing simulations were conducted across several organizations operating in different sectors, involving a total of 3,891 users. The phishing emails were designed to closely resemble real-world campaigns used by cybercriminals to target cloud services, and the collected data included message open rates, clicks on malicious links, and instances of credential disclosure, which were subsequently subjected to detailed quantitative analysis. The results revealed significant differences in user behaviour depending on the nature of the organizations’ operations. These findings clearly indicate the need to further strengthen digital identity protection, as users exposed to various social engineering techniques tend to disclose their authentication credentials. Consequently, this paper presents a set of recommendations and methods for securing identities and managing access in cloud computing environments, ultimately contributing to the development of a comprehensive identity security model.