Not all clouds are equal, with system vulnerability rates 12 times higher in worst performing clouds; large enterprises performing 70% better than small enterprises

Salt Lake City, Utah, June 25, 2019 — RiskRecon, the world’s leading platform for easily understanding and acting on third-party cyber risk, today announced a new study with Cyentia Institute, seeking to answer the question: Are organizations more secure in the cloud? While the study found that 60% of organizations face higher-severity risk exposures in their cloud infrastructure, the study reveals various dynamics at play in cloud computing that influence an organization’s cloud success.

While an organization’s success in securing their cloud infrastructure is their own, the study reveals two significant demographics that are strong predictors of cloud security success. First, the choice of hosting provider matters. Internet-facing systems in the Amazon, Microsoft, and Oracle clouds had a 12 times lower rate of important security issues than the bottom performing cloud environments, where as many as 14% of systems had critical or high severity issues. Second, organization size has a big impact on cloud security performance. In comparison with enterprises with less than $10 million in revenue, enterprises with more than $100 million in revenue had a 70% lower likelihood of significant vulnerabilities.

All major industries studied have a significant portion of their internet-facing systems hosted with a cloud provider. The information industry has the highest adoption rate at 34%, while finance and public administration host 14% of their internet facing systems with a cloud provider. And it isn’t just brochure sites that are hosted in the cloud, with 80% of companies hosting one or more systems that collect sensitive data with a cloud provider.

“The migration of enterprise compute workloads to the cloud, combined with the rapid outsourcing of application systems and services to third-parties, has dramatically increased the complexity of managing enterprise cybersecurity risk,” said Kelly White, CEO and founder of RiskRecon. “Traditional methods of managing cybersecurity risk simply are not adequate. New approaches are required to maintain a current understanding of the risk surface sufficient to manage it well. Companies across the world are leveraging RiskRecon to help get a handle on it.”

Key Data Points:

  • Internet-facing systems hosted in the Amazon, Microsoft, and Oracle had lower rates of significant vulnerabilities than internet-facing systems hosted on premise, all lower than the on-premise rate of 1.6%.
  • The average difference between clouds with the highest versus the lowest exposure rates is 12X. But the difference between the minimum and maximum rate of severe exposures among cloud providers in the dataset is 144X.
  • 80% of firms host systems that process sensitive data in a cloud computing environment, suggesting that aversion to hosting high risk systems in the cloud is abating.
  • There is little diversity in cloud computing, with a full 70% of firms rely on four or fewer major cloud providers.
  • Of all internet-facing cloud hosted systems, the top three providers host 23% of all Internet-facing systems. (Amazon 16.8%, Microsoft 4.6%, Google 2%).
  • Organization that use four cloud hosting providers have one-quarter the exposure rate of those with just one cloud provider. Having 8 clouds drops that rate in half again. The data suggests that the rate of severe findings is at its highest when cloud diversity is at its lowest.
  • On-premise hosts were found to be 13X more likely to appear on security intelligence blacklists than cloud hosts.
  • Cloud exposures for organizations in the healthcare sector experienced a 4-5X increase compared to exposures on-premise.

“This study is crammed full of statistics related to cloud adoption and security, several of which are quite shocking,” said Dr. Wade Baker, Partner, Cyentia Institute, and author of the Cloud Risk Surface Report. “But it’s important to keep it all in perspective. The study doesn’t advocate for either side of the cloud vs. on-prem debate, because the safety record between them isn’t all that different (a 60/40 split). Far more important is for organizations to carefully consider their needs and capabilities in the cloud and select providers and strategies best suited them.

About the Study

The Cloud Risk Surface Report, and its sister study, the Internet Risk Surface report, reveal the impact of digital transformation on enterprise cybersecurity risk surface. The studies were conducted by the Cyentia Institute, in collaboration with RiskRecon. The dataset analyzed by Cyentia was provided by RiskRecon, featuring information pulled from over 18,000 organizations across 5 million hosts and 32 million security findings. Download the Study.

About RiskRecon

RiskRecon is the only continuous vendor monitoring solution that delivers risk-prioritized action plans custom-tuned to match your risk priorities, providing the world’s easiest path to understanding and acting on third-party cyber risk. Partner with RiskRecon to build your scalable, third-party risk management program to efficiently realize dramatically better risk outcomes. To learn more about RiskRecon’s approach, request a demo or visit the website at


Connect with RiskRecon:
Twitter: @riskrecon

 Media Contact:
Amanda Jones