Skip to content

36% of companies suffered a serious cloud security data leak or breach in the past 12 months while 83% are concerned their organization is at risk

Frederick, MD, July 22, 2021 – As cloud adoption accelerates and the scale of cloud environments grows, engineering and security teams say that risks—and the costs of addressing them—are increasing. The findings are part of the State of Cloud Security 2021 survey conducted by Fugue, the leader in cloud security and compliance automation, and Sonatype, the leader in developer-friendly tools for software supply chain automation and security.  


The survey of 300 cloud professionals (including cloud engineers; security engineers; DevOps; architects) found that 36% of organizations suffered a serious cloud security data leak or a breach in the past 12 months, and eight out of ten are worried that they’re vulnerable to a major data breach related to cloud misconfiguration. 64% say the problem will get worse, or remain unchanged over the next year. 


“This year’s survey reveals that the complexities and dynamism of at-scale cloud environments outpace the ability of teams to keep them secure,” said Josh Stella, co-founder and CEO of Fugue. “Engineering and security teams continue to ramp up the time and resources they invest in cloud security, but say they still lack the visibility and automation they need.” 


Cloud misconfiguration mistakes: a major insider threat

The primary causes of cloud misconfiguration cited are too many APIs and interfaces to govern (32%), a lack of controls and oversight (31%), a lack of policy awareness (27%), and negligence (23%). 21% said they are not checking Infrastructure as Code (IaC) prior to deployment, and 20% aren’t adequately monitoring their cloud environment for misconfiguration.


“The adoption of IaC is a double-edged sword, it puts cloud infrastructure into the hands of developers, but also opens organizations to serious risk associated with misconfiguration.” said Matt Howard, Executive Vice President at Sonatype. “The survey results highlight the need to empower developers with advanced security guardrails and rapid feedback to ensure that cloud infrastructure is secure and complies with relevant regulations and defined policies.” 

Cloud and infrastructure as code security is a people problem

Traditional security challenges play a significant role in cloud security, such as alert fatigue (cited by 21%) and false positives (27%), and human error (38%). The demand for cloud security expertise continues to outpace supply; 36% cite challenges in hiring and retaining the cloud security experts and 35% cite challenges sufficiently training their cloud teams on security.


Securing infrastructure as code and cloud environments is costly

The adoption of IaC presents cloud teams with the opportunity to check configurations pre-deployment, with half of the teams surveyed investing 50+ engineering hours per week on IaC security. They invest the same amount of time on securing running cloud environments.  


Cloud security challenges and what professionals say they need

The lack of policies that work across the cloud development lifecycle (CDLC) from IaC through the runtime was cited as a significant issue, with 96% saying such a unified policy framework would be valuable. 47% said they need better visibility into their environments, and 43% said automated compliance audits and approvals would help. 


Get the State of Cloud Security 2021 Report

The State of Cloud Security 2021 Report is available for download.


About Fugue

Fugue helps organizations move faster in the cloud—without breaking the rules needed to keep cloud environments secure. The Fugue platform secures the entire cloud development lifecycle—from infrastructure as code through the cloud runtime—with a unified open-source policy engine. Fugue empowers cloud engineering and security teams to prove continuous compliance, build security into cloud development, and eliminate cloud misconfiguration. Fugue supports Amazon Web Services, Microsoft Azure, and Google Cloud, and provides one-click reporting for CIS Foundations Benchmarks, CIS Controls, CIS Docker, CSA CCM, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2. Customers such as AT&T, SAP NS2, and Red Ventures trust Fugue to protect their cloud environments. To learn more, visit


About Sonatype

Sonatype is the leader in developer-friendly, full-spectrum software supply chain automation providing organizations total control of their cloud-native development lifecycles, including third-party open source code, first-party source code, infrastructure as code, and containerized code. The company supports 70% of the Fortune 100 and its commercial and open source tools are trusted by 15 million developers around the world. With a vision to transform the way the world innovates, Sonatype helps organizations of all sizes build higher quality software that's more aligned with business needs, more maintainable and more secure. 


Sonatype has been recognized by Fast Company as one of the Best Workplaces for Innovators in the world, two years in a row and has been named to the Deloitte Technology Fast 500 and Inc. 5000 list for the past five years. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.


Media Contact

Rachel Kaseroff

RJK Communications



Fugue Developer

Free Cloud Security for Engineers

  • Visualize your cloud infrastructure
  • Run policy checks and get feedback
  • Detect change and eliminate misconfiguration