Tenable Cloud Security Study Reveals a Whopping 95% of Surveyed Organizations Suffered a Cloud-Related Breach Over an 18-Month Period

The finding from the Tenable 2024 Cloud Security Outlook study is a clear sign of the need for proactive and robust cloud security. Read on to learn more about the study’s findings, including the main challenges cloud security teams face, their strategies for better protecting their cloud infrastructure and the tools they use to measure success.

Tenable has just published its "2024 Cloud Security Outlook" report, our annual assessment of organizations’ perceptions and experiences in securing their public cloud environments. The report, which polled 600 cloud security professionals in North America and Europe, explores the issues plaguing the respondents, the priorities they’ve set to address these challenges and the tools they’re using to measure success. We hope the report helps you understand how your peers are tackling cloud-environment complexity so you can set a strategic, effective path for securing yours. 

Check out key highlights from the report below.

Cloud breaches are pervasive, with insecure identities the leading culprit

Each year, the study probes how many respondents are affected by cloud-related breaches. We’re always optimistic. One might think that the huge growth in cloud-security awareness and tooling options would have by now triggered a downward trend in – or at least some immunity to – breaches. Alas, we found that a discomforting 95% of the 600 organizations polled had experienced cloud-related breaches in the previous 18 months. Among those, somewhat predictably, 92% reported exposure of sensitive data, and a majority acknowledged being harmed by the data exposure.

Given that in the cloud world breaches seem unavoidable, it makes sense that cloud security platforms seek to not just flag vulnerable points of entry but also minimize a hacker’s ability to do harm once in. We were therefore curious about what cloud security professionals perceive as their greatest source of risk – workload vulnerabilities, ransomware attacks, third party access? Here, perception aligned with the most recent industry understanding: Respondents cited insecure cloud identities and misconfigurations as their leading security risks – and 99% of organizations that experienced cloud-related breaches placed the blame on insecure identities as the leading cause. 

We drilled down into identities and access to see if organizations are not only aware of insecure identity and access management (IAM) as public enemy #1 for cloud security, but if they are doing something about it. Here respondents scored top marks, with many prioritizing efforts to minimize permissions through zero trust, access governance and just-in-time (JIT) initiatives.

More key findings

The report focused on three angles in securing cloud infrastructure and, in particular, governing access to resources:

• It’s Just So Hard. We asked organizations to break down the key barriers, challenges and risks they are encountering as they implement their cloud security programs.
• Of Utmost Importance. We sought to understand which of the many security areas and initiatives they are prioritizing in the year – and if those priorities line up with the reported top risks.
• Measuring Tells No Lies. Hand in hand with evaluating cloud security progress and maturity, not to mention justifying budget for renewals and new solutions, are performance indicators. We looked at the measurement tools in use and at those used the most.

Other important findings included:

• Lack of remediation capabilities is the top barrier to implementing new cloud security capabilities.
• Lack of cloud security expertise isn’t just “analyst speak” – it’s a reality that’s putting organizations at risk.
• A substantial degree of uncertainty exists regarding who within the organization owns responsibility for cloud security.

Regional differences

The findings revealed several regional disparities, including which region was more inclined to report experiencing no cloud-related breaches (spoiler: North America). We also saw regional differences in breaches’ causes. EU organizations were much more likely to pin their cloud breaches on excessive permissions and difficulty in detecting toxic combinations than their North American counterparts.

Regional differences also surfaced regarding the influence of DevOps teams on respondents’ ability to implement new cloud security capabilities. Significantly more respondents in North America than in Europe cited as a barrier the fear of DevOps teams that security efforts would disrupt their workflow.

Get the report!

Hopefully this blog has whetted your appetite for cloud security insights and best practices. We invite you to download the report, which will offer you:

• A good idea of the prevalence of cloud related breaches and the degree to which sensitive data is not just exposed but having negative impact
• An understanding of the pains and blockers that concern cloud security professionals globally and regionally, and what issues are common to all
• Insight into what others are prioritizing to tackle their concerns, to help shortcut your way to priorities that can help make your cloud security efforts more effective

Learn more:

• Download the "2024 Cloud Security Outlook" report
• Attend the webinar "Tenable Shares Its 2024 Cloud Security Outlook: Winning Half the Battle by Understanding Barriers and Priorities"
• Read the white paper "Holistic Security for AWS, GCP and Azure"