This February, the U.S. Department of Defense exposed roughly a terabyte of emails that included personal information and conversations between officials due to a cloud configuration error.

This latest incident highlights the importance of cloud security, especially as organizations shift more workloads and data into the cloud. 

We’ve compiled the statistics below to help you better understand the cloud computing market and trends in cloud adoption, as well as the most common security incidents and concerns about keeping cloud environments safe. We’ll also provide actionable tips for improving cloud security.

Cloud computing statistics

Cloud adoption has accelerated in the past few years, and is expected to continue to do. Learn more about market spend, trends, and key drivers of cloud adoption below. 

1. The worldwide public cloud computing market continues to grow and is expected to reach an estimated 679 billion U.S. dollars in 2024. (Statista)

2. In 2022, enterprise spending on cloud infrastructure services amounted to 225 billion U.S. dollars, an increase of 47 billion U.S. dollars compared to the previous year. (Statista)

3. Worldwide end-user spending on public cloud services is forecast to grow 20.4% to total $678.8 billion in 2024, up from $563.6 billion in 2023. (Gartner)

4. 69% of organizations use three or more cloud service providers. (Enterprise Strategy Group)

5. In 2022, CSA survey respondents estimated that they used 147 public cloud services on average — a dramatic increase from 38 reported in a 2020 survey. (Cloud Security Alliance and Google Cloud)

6. A majority of organizations (71%) are using a multi-cloud environment for the following reasons, among others:

• Leverage the strengths of different providers (17%)
• Improve performance and latency (14%)
• Enhance resilience and disaster recovery (13%)
• Reduce vendor lock-in (13%). (Cloud Security Alliance and Expel)

7. Gartner predicts that by 2027, more than 70% of enterprises will use industry cloud platforms to accelerate their business initiatives, up from less than 15% in 2023. (Gartner)

8. 83% of organizations have lifted and shifted workloads to the cloud. (Enterprise Strategy Group)

9. In a 2022 survey, the majority of organizations (89%) said they host sensitive data or workloads in the public cloud. (Cloud Security Alliance and Anjuna)

10. In a study by Venafi, organizations said they host two fifths (41%) of their applications in the cloud but expect that percentage to grow to 57% over the next 18 months. (Venafi)

11. 25% of organizations said at least 30% of their production workloads run on public infrastructure currently, and 67% said at least 30% of their workloads will run on public cloud infrastructure in the next 24 months. (Enterprise Strategy Group)

12. 66% of organizations have increased their investment in business-critical SaaS applications. (Cloud Security Alliance and Adaptive Shield)

Cloud security statistics

As organizations move more data and workloads to the cloud, they face persistent cloud security challenges. Discover common cloud-related security incidents and concerns below. 

13. 81% of organizations reported experiencing a cloud-related security incident over the last 12 months. (Venafi)

14. Almost half (45%) of organizations reported suffering at least four cloud-related security  incidents over the last 12 months. (Venafi)

15. In a survey of nearly 3,000 IT and security professionals across 18 countries, more than a third (39%) of businesses have experienced a data breach in their cloud environment last year, an increase on the 35% reported in 2022. (Thales)

16. Human error was reported as the leading cause of cloud data breaches by over half (55%) of IT and security professionals. (Thales)

17. In 2022, 62% of organizations reported that they were somewhat to highly likely to experience a cloud data breach in the next year. (Cloud Security Alliance and BigID)

18. The most common cloud-related security incidents respondents have experienced are:

• Security incidents during runtime (34%)
• Unauthorized access (33%)
• Misconfigurations (32%)
• Major vulnerabilities that have not been remediated (24%)
• A failed audit (19%). (Venafi)

19. The key operational and security concerns that security decision makers have in relation to moving to the cloud are:

• Hijacking of accounts, services or traffic (35%)
• Malware or ransomware (31%)
• Privacy/data access issues, such as those from GDPR (31%)
• Unauthorized access (28%)
• Nation state attacks (26%). (Venafi)

20. When security practitioners were asked to report their top three security concerns when running applications in the public cloud, the most common were loss of sensitive data (64%), improper configuration and security settings (51%), and unauthorized access (51%). (Cloud Security Alliance and Google Cloud)

21. When asked to identify their biggest challenges caused by rapidly accelerating software development cycles, enterprise cloud security professionals from organizations with more than 1,000 employees reported the following:

• Security team lacks visibility and control within the development process (35%)
• Software is often released without going through security checks or testing (34%)
• Lack of consistent security processes across different development teams (33%)
• Developers are skipping security processes to meet deadlines (33%)
• New builds are deployed to production with misconfigurations, vulnerabilities and other security issues (31%). (Enterprise Strategy Group)

22. Responsibility for securing cloud-based applications is currently assigned across internal teams, including:

• Enterprise security teams (25%)
• Operations teams responsible for cloud infrastructure (23%)
• A collaborative effort shared between multiple teams (22%)
• Developers writing cloud applications (16%)
• DevSecOps teams (10%). (Venafi)

23. When asked who should be responsible for security cloud-based applications, the most common answer was shared responsibility between cloud infrastructure operations teams and enterprise security teams (24%). (Venafi)

24. When asked how much of a role security plays in their organization’s cloud strategy, 40% of IT and security professionals said security is prioritized and strictly enforced during implementation and development. (Cloud Security Alliance and Expel)

25. When asked how much of a role security plays in their organization’s cloud strategy,  2% of IT and security professionals reported that other teams don’t consult the security organization at all. (Cloud Security Alliance and Expel)

Cloud data security statistics

One of the biggest challenges organizations face is protecting and securing their business, financial, and customer data in the cloud. Find out how organizations are struggling with this challenge below.

26. Only 4% of organizations report that 100% of their sensitive data in the cloud is sufficiently secured. In other words, 96% of companies report insufficient security for at least some sensitive cloud data. (Cloud Security Alliance and BigID)

27. 40% of organizations indicate that 50% or less of their sensitive data in the cloud has sufficient security. (Cloud Security Alliance and BigID)

28. Over half of organizations (57%) report medium to low levels of confidence in their organization’s ability to secure data in the cloud. (Cloud Security Alliance and BigID)

29. When asked how effective they believe their cloud provider’s security controls are, 89% of IT and security professionals said highly or somewhat effective. When asked how confident they were in their organization’s ability to protect sensitive data in the cloud, only 19% of these professionals said highly confident. 44% said moderately and 31% said slightly.  (Cloud Security Alliance and Anjuna)

30. When investigating information stored in various public cloud environments, researchers found sensitive personal data in over 30% of cloud assets. (Dig Security)

31. 20% of the financial data found in cloud assets is publicly exposed. (Dig Security)

32. 4% of the personal identifiable information (PII) and payment card industry (PCI) data found in cloud assets is publicly exposed. (Dig Security)

33. More than 7% of storage services containing sensitive data are public. (Dig Security)

34. More than 60% of storage services are not encrypted at rest, and almost 70% lack comprehensive logging. (Dig Security)

35. 91% of database services with sensitive data are not encrypted at rest, 20% lack comprehensive logging, and 1.6% are open to the public. (Dig Security)

36. Of the vast majority of principals with permissions, 95% are granted them through excessive privilege. (Dig Security)

37. More than 35% of principals have some privilege to sensitive data assets. (Dig Security)

38. Sensitive data was also found flowing to unmanaged environments such as data lakes like Hadeep and Snowflake 40% of the time. (Dig Security)

39. Almost 8% of sensitive data assets are shared with other accounts or projects, which increases the potential risk of data exposure and reduces the security posture of the asset itself. (Dig Security)

40. 55% of the shared assets are shared with other accounts in the same organization, 

36% of the shared assets are shared with other accounts outside the organization, and

9% are shared with third party vendors. (Dig Security)

41. Organizations appear to give nearly identical levels of access to sensitive data in their organization to employees, contractors, partners, and suppliers. For example, organizations reported the following percentages had access to 51-75% of their sensitive data:

• Employees (29%)
• Business or technology partners (27%)
• Contractors (26%)
• Suppliers (25%). (Cloud Security Alliance and BigID)

42. More than 50% of sensitive data assets in the cloud are accessed by five to 10 applications, and almost 20% of sensitive data assets are accessed by 10-to-20 applications.  (Dig Security)

43. The most common data security features organizations use are:

• Continuous monitoring/ learning (48%)
• Cloud workload security (42%)
• Cloud data security (42%)
• Data inspection and detection (41%). (Cloud Security Alliance and BigID)

Cloud security risk statistics

While cloud computing offers a wide range of benefits — cost-effectiveness, backup and recovery of data, and scalability — it also comes with risks. Read below to see what issues are contributing to those risks. 

44. Over 45% of most organizations’ high-risk, cloud-hosted exposures in a given month were observed on new services that hadn’t been present on their organization's attack surface in the month prior. (Unit 42)

45. On average, over 20% of externally accessible cloud services change monthly, creating new risk. (Unit 42)

46. 52% of organizations say they did not evaluate the ongoing risk of their cloud services being used after procurement as product features or business environments changed. (Cloud Security Alliance and Google Cloud)

47. 34% of organizations do not repeatedly evaluate and adjust the risk status of cloud services. (Cloud Security Alliance and Google Cloud)

48. 47% of security executives said they’re aware of malicious third-party applications and have experience. Another 38% said they’re aware but have had no experience. (Cloud Security Alliance and Adaptive Shield)

49. 80% of security exposures are found in cloud environments versus on-premises due to a range of factors, including frequent misconfigurations, shared responsibilities, shadow IT, inherent connection to the internet, and lack of visibility into cloud assets. (Unit 42)

50. The three causes that account for 60% of all exposures in cloud environments are:

• Web framework takeover (22.8%) 
• Remote access services (20.1%)
• IT security and networking infrastructure (17.1%).  (Unit 42)

51. 49% of organizations rated managing a multi-cloud environment as moderately complex. 23% rated it as very complex. (Cloud Security Alliance and Expel)

52. 52% of organizations that have a multi-cloud environment report difficulties establishing consistent security and governance policies across platforms. (Cloud Security Alliance and Expel)

53. Some 70% of organizations reported less than effective processes for assigning risk to cloud assets, with only 4% percent reporting having highly effective practices. (Cloud Security Alliance and Google Cloud)

54. On average, security practitioners are only somewhat satisfied with their organization’s method for assigning risk to cloud inventory assets. (Cloud Security Alliance and Google Cloud)

55.  A majority of organizations (65%) reported adjusting risk metrics used to evaluate cloud services annually or less frequently. (Cloud Security Alliance and Google Cloud)

56. 30% of enterprises reported that risk scoring systems are used as a directional guide to risk improvement for certain cloud solutions, as opposed to measurements that can be relied on for comparison across all cloud services. (Cloud Security Alliance and Google Cloud)

SaaS security statistics

As organizations increase their investment in SaaS applications, ensuring these apps are configured and governed securely is paramount. Without proper security measures, organizations are exposed to data breaches, cyber attacks, and other cloud security incidents. Find out how organizations are responding to SaaS security risks. 

57. More than a third (38%) of IT and security professionals ranked Software as a Service (SaaS) applications as the leading target for hackers, closely followed by cloud-based storage (36%). ​(Thales)

58. Over 55% of security executives said they experienced a security incident in their software-as-a-service (SaaS) environment over the last two years, a 12% increase from the previous year. (Cloud Security Alliance and Adaptive Shield)

59. 12% of security executives said they did not know if they experienced a security incident in their software-as-a-service (SaaS) environment over the last two years. (Cloud Security Alliance and Adaptive Shield)

60.  Over half (58%) of organizations estimate their current SaaS security solutions only cover 50% or less of their SaaS applications. (Cloud Security Alliance and Adaptive Shield)

61. Only 7% of organizations estimate their current SaaS security solutions cover 100% of their SaaS applications. (Cloud Security Alliance and Adaptive Shield)

62. Data leakage topped the types of security incidents experienced by IT and security professionals at 58%, followed by malicious apps (47%), data breaches (41%) and ransomware (40%). (Cloud Security Alliance and Adaptive Shield)

63. The top security concerns of security executives when adopting SaaS applications at their company are:

• Identity and access governance (43%)
• 3rd party app access and their level of permissions (40%)
• Data loss management (32%)
• Connected malicious apps (31%)
• Threat detection and response (31%)
• SaaS misconfiguration (29%). (Cloud Security Alliance and Adaptive Shield)

64. 71% of security professionals said their organizations have increased their investment in security tools for Saas. (Cloud Security Alliance and Adaptive Shield)

65. Only 22% of security professionals said they are highly satisfied with their organizations’ investment in security tools for SaaS. 54% said they were somewhat satisfied and 24% said they were not satisfied. (Cloud Security Alliance and Adaptive Shield)

Cloud security career statistics

Understand how the demand for cybersecurity professionals with cloud security skills is increasing as cloud adoption increases below.

66. Nearly half (47%) of all security professionals consider cloud computing security the most sought-after skill for those looking to advance their careers. (International Information System Security Certification Consortium)

67. 32% of hiring managers said cloud computing security is the most desirable skill for the second year in a row. (International Information System Security Certification Consortium)

68. 92% report having skills gaps in their organization, with cloud computing security being the most commonly cited (35%).  (International Information System Security Certification Consortium)

69. 68% of security professionals said their organizations have increased their investment in hiring and training staff on SaaS security. (Cloud Security Alliance and Adaptive Shield)

70. 71% of security professionals said they are somewhat or highly satisfied with their organizations’ investment in hiring and training staff on SaaS security. (Cloud Security Alliance and Adaptive Shield)

71. 41% of security practitioners said their organization’s method for keeping up with current risk management practices for the cloud was “informal reliance on staff self training.” (Cloud Security Alliance and Google Cloud)

How to improve cloud security

Now that you know how important it is to secure data and workflows in the cloud, use these tips below to level up your cloud security.

Implement and maintain an access control lifecycle

By implementing access controls, you can provide authorized, granular, auditable and appropriate user access across cloud environments and ensure appropriate preservation of data confidentiality, integrity, and availability.

Implementing access controls is not a check-the-box activity. It is a series of repeated steps that make up the access control lifecycle. To implement and maintain an effective access control lifecycle, internal staff should be assigned key roles and responsibilities as part of their job function, including but not limited to:

• Provisioning
• Establishing access rights
• Creating password complexity rules
• Ensuring segregation of duties
• Monitoring
• De-provisioning / off-boarding

Periodically assess cloud service provider risks

As mentioned above, more than half of organizations do not evaluate the risk of their cloud services being used after procurement, even as product features or business environments change.

To improve cloud security, organizations should assess their providers regularly and monitor their compliance and security performance as they do any other vendor. A strong vendor risk management program that includes cloud service providers can help organizations minimize risk to an acceptable level and focus on driving value from third-party relationships.

Use a risk assessment tool

We also know that the majority of organizations report having less effective processes for assigning risk to cloud assets. Using a risk assessment tool can help simplify and standardize the process of understanding, scoring, and tracking risks to cloud assets. 

Continuously monitor cloud environments

Continuous monitoring is increasingly important as organizations bring on more cloud services. Organizations must continuously monitor their cloud environments with the same vigilance as on-prem environments in order to quickly detect and remediate any issues as they arise. Automation and AI can help organizations do this even as their cloud environments become increasingly complex.  

Automate cloud remediation

With AI, your cybersecurity team can save valuable time remediating cloud misconfigurations. More advanced AI tools like Secureframe Comply AI can process security alerts and offer users step-by-step remediation instructions based on input from the user, resulting in more effective and tailored remediation recommendations.

How Secureframe can help protect your cloud environment

Secureframe helps you secure your cloud computing environment. Its key capabilities include:

• Access controls: Easily monitor and track the level of access each employee has to integrated systems and technology.
• Vendor risk management: Assess and manage the security and compliance posture for each of your third-party vendors and schedule recurring reviews for continuous monitoring.
• Powerful risk assessment: Seamlessly assess risks following intuitive, step-by-step workflows or save more time by automating risk assessments with Comply AI.
• Continuous configuration checks: Our platform continuously checks configuration posture and gathers raw JSON evidence, demonstrating adherence to both compliance standards and corporate security controls.
• Continuous monitoring: Get complete visibility and actionable insights into critical security and privacy compliance issues. 
• Remediation guidance: Get clear remediation guidance for failing cloud tests with step-by-step instructions, or infrastructure-as-code generated with Comply AI.

To learn more about Secureframe’s security and privacy compliance automation platform, schedule a demo with a product expert.