Last Day to Get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training - Register Today!


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Cloud Security Improving: Results of the 2019 SANS State of Cloud Security Survey

Key Cloud Concerns Revealed; Concerns Haven't Led to More Breaches

  • Bethesda, MD
  • April 22, 2019

The state of cloud security is improving, albeit slowly, according to results of the 2019 SANS State of Cloud Security survey to be released by SANS Institute on May 1, 2019.

“Organizations are continually evolving in their use of cloud services, looking to the cloud for procurement, management and other functions,” says Dave Shackleford, SANS senior instructor and analyst. “Along with that movement, organizations are placing more and more sensitive data in the cloud and facing a variety of security concerns.”

More respondents’ organizations experienced unauthorized access to cloud environments or cloud assets by outsiders: 31% in 2019 compared with just 19% in 2017. And concern about that access has remained high, with 56% of 2019 respondents listing it as a concern. The concern for data breaches by cloud provider personnel dropped from 53% in 2017 to 44% this year, which may indicate some growth in trust in the providers. Other major concerns included inability to respond to incidents (52%), lack of visibility into what data is being processed and where (51%) and unauthorized access to data from other cloud tenants at 50%.

It does not appear that these concerns have translated into an increase in breaches. In 2019, 72% of respondents said they weren’t aware of an actual breach, compared with 59% in 2017. This is good news, assuming that lack of awareness isn’t an issue. While 7% just aren’t sure at all (compared with 21% in 2017), 11% said they did experience a breach, and another 11% think they’ve had one but can’t prove it. The percentage of those who have (or believe they have) experienced a breach is roughly the same as it was in 2017.

“Cloud providers are becoming more open and accommodating of security data and controls,” continues Shackleford. “And more vendor solutions are able to bridge the gap between implementations on-premises and in the cloud, providing slow but sure improvement in cloud security.”

Full results will be shared during a May 1, 2019, webcast at 1 PM Eastern, sponsored by ExtraHop and Sysdig, and hosted by SANS, in conjunction with the Cloud Security Alliance. Register to attend the webcast at

Register for the BONUS webcast on May 7, 2019, at 1 PM Eastern, where survey author Dave Shackleford, Jim Reavis (Cloud Security Alliance) and representatives from ExtraHop and Sysdig will talk in more depth about key issues that arose in the survey.

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and cloud security expert, Dave Shackleford.

Tweet This:

SANS 2019 Cloud Security Survey Results | 5/1 @ 1PM ET | @daveshackleford @jimreavis | Sign up:

What concerns do you have about use of the public #cloud? Join @daveshackleford and @jimreavis as they explore the results of the SANS 2019 Cloud #Security Survey | 5/1 @ 1PM ET |

Cloud Survey BONUS Webcast | 5/7 @ 1 PM ET | Panel of @daveshackleford @jimreavis @ExtraHop @sysdig |

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner’s qualifications via over 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (