State of 'State of Cloud Security' Reports: Insights or Self-Owns?

Dec 18, 24
State of 'State of Cloud Security' Reports: Insights or Self-Owns?

If you run a cloud security company, publishing a “state of cloud security” report seems to be a rite of passage. These reports churn data from the company’s CSPM1 product offering into generalized insights.2 I’ve read plenty of them over the years3 — partially in service of tracking the most salient details via AWS Customer Security Incidents. These reports are marketed with a key assumption implicit: that their customer data is representative of the broader state of cloud security.

A hidden variable?

Here’s something people miss about these reports: the findings substantially reflect how well the tool helps customers secure their clouds.

When a report says “X% of companies have Y misconfiguration,” is that really about cloud security? Maybe it is also a sign that users struggle with the tool. A mark of poor usability, bad prioritization, or plain old alert fatigue?

Those stats can say more about the product than the problem.

And then there’s the question of what they choose to measure.4 Are they highlighting major issues and misconfigurations that lead to real world breaches? Or are they making flashy graphics around nigh-meaningless Cloud Encryption or Public S3 Bucket “findings”5?

Critical Reading

One recent report highlighted that roughly a third of their customers have “at least one cloud workload that is publicly exposed, critically vulnerable and highly privileged.” If you’re a cloud security vendor that isn’t helping customers resolve this critical set of flaws, should I really buy your product?

In another case, a vendor chose to highlight the prevalence of “root user without MFA.” Even worse, the number went massively up year-over-year. This is a complicated metric, because many large organizations would instead simply randomly generate and never track the credentials for the root user, making account recovery the only break-glass option.6

Another report focused on data security found over 90% of “database services with sensitive data are not encrypted at rest.” What does that say about the quality of that finding, and the vendor’s success in pushing their beliefs on its risks?

Finally, several reports invest heavily in IAM User best practices: setting up MFA & complex passwords, rotating access keys, and deprecated unused identities. However, if they don’t push for customers to deprecate IAM Users (to the fullest extent possible), how good do you think their other guidance will be?

Ending on a more positive note

🥕 and 🪵 - I want to end highlighting what good can look like.

Take some examples from the 2024 edition of Datadog’s State of Cloud Security:

  • Adoption of public access blocks in cloud storage services is rapidly increasing shows reduction in prevalence of public blob storage (ex. AWS S3), and pairs it with analysis of Block Public Access adoption.
  • Less than half of EC2 instances enforce IMDSv2, but adoption is growing fast highlights substantial improvements, while giving appropriate credit and visibility to relevant investments from cloud providers.
  • Insecure IAM roles for third-party integrations leave AWS accounts at risk of exposure is paired with work promoting actionable guidance on better practices

It’s not all 🌹🌹🌹, but I hope this highlights how these reports can be tuned to be more impactful and actionable. And I hope you carry forward some caution into the next one you read!

  1. Don’t get hung up on the acronym - these tools were CSPMs when I started working in cloud security, but now they might be CNAPPs, or AI…SomethingSomethings 

  2. Similar titling and content marketing is used for “survey-based” State of Cloud Reports. I’m not talking about those! 

  3. Palo Alto Unit 42 has published seven volumes of their Cloud Threat Report. Datadog, Snyk, Orca, Sysdig, and Wiz are other prominent cloud security companies who publish such reports. 

  4. Disclaimer: I’ve previously had a small part in putting together these reports, normally as an early reviewer. Often, the statistics presented are as much a reflection of limitation in collected or analyzed data, or the product, as any specific research perspective. 

  5. I mention Public S3 buckets to call attention to vendors who fail to consider intentional, safe deployment models. For example, a bucket used to distribute public artifacts. Sure, using Cloudfront etc. with a private bucket is better - but is this really a major issue? Better reports will often specify level of exposure of buckets storing “sensitive data,” which then moves the problem into “how good is their categorization of sensitive data.” 

  6. This was generally paired with an SCP denying usage of root. Of course, we just got central management for root access. So yay for that!