Full Report
Wiz Research reveals the latest cloud data security trends across hundreds of thousands of real-world environments.
Analysis Summary
# Research: 2025 Cloud Data Exposure Analysis: What Analyzing Hundreds of Thousands of Cloud Environments Taught Us About Data Exposure
## Metadata
- Authors: Wiz Threat Research
- Institution: Wiz
- Publication: Wiz Blog (Report Highlights)
- Date: May 7, 2025
## Abstract
This research analyzes hundreds of thousands of real-world cloud environments to identify current trends in data exposure, security misconfigurations, and risk prioritization. The key focus is on pinpointing "toxic combinations"—instances where sensitive data resides in publicly exposed or vulnerable assets—to help organizations reduce potential breach vectors efficiently.
## Research Objective
The primary objective is to answer critical questions facing security teams regarding cloud data: Where is sensitive data located, who has access to it, and what are the most prevalent and high-risk data exposure patterns across diverse cloud adoption scenarios?
## Methodology
### Approach
The study involved a large-scale, real-world analysis of existing cloud infrastructure configurations and asset states across numerous customer environments. The central analytical technique was contextual risk assessment, focusing on the intersection of three factors: asset exposure, known vulnerabilities, and the sensitivity of the data contained within.
### Dataset/Environment
The analysis covered **hundreds of thousands of cloud accounts** spanning organizations of all sizes, representing diverse, live, production-level cloud environments.
### Tools & Technologies
The analysis was conducted using the Wiz Cloud Security Platform, which likely employs agentless scanning and configuration analysis capabilities to inventory assets, map permissions, classify data sensitivity, and identify known vulnerabilities.
## Key Findings
### Primary Results
1. **Widespread Sensitive Data Exposure in Compute Instances:** 54% of analyzed cloud environments were found to have Virtual Machines (VMs) or serverless instances containing sensitive data (such as PII or payment data) that were exposed to the public internet.
2. **High-Risk Overlaps are Significant:** A critical subset—35% of cloud environments—have VMs or serverless instances that simultaneously expose sensitive data *and* are vulnerable to high or critical severity threats.
3. **PaaS Database Exposure Lacks Controls:** 72% of cloud environments possess publicly exposed Platform as a Service (PaaS) databases that lack adequate access controls, increasing the risk of unintentional data leakage.
4. **Container Security Lapses Persist:** 12% of cloud environments still exhibit containers that are both publicly exposed and exploitable via known vulnerabilities.
### Supporting Evidence
- 54% statistic regarding exposed VMs/serverless containing sensitive data.
- 35% statistic regarding the toxic combination scenario (exposure + high vulnerability + sensitive data).
- 72% statistic regarding publicly exposed PaaS databases lacking access controls.
### Novel Contributions
The contribution is the large-scale, empirical quantification of *contextual risk* in cloud data security. Instead of reporting on isolated misconfigurations, the research highlights the potent threat posed by the overlap of exposure, exploitability, and data sensitivity across vast numbers of environments.
## Technical Details
The analysis hinges on the concept of Data Security Posture Management (DSPM) principles: discovering sensitive data (often via scanning content or metadata), mapping network exposure (public Internet access), and correlating this with vulnerability scanning results. The prioritization method centers on finding the intersection of these three attributes to define immediate, high-impact remediation targets.
## Practical Implications
### For Security Practitioners
Practitioners must move beyond simple inventory checks. The focus needs to shift to identifying the small percentage of assets that are both internet-facing and house critical data, as these represent the most likely initial breach points.
### For Defenders
Defenders should prioritize remediation efforts based on the "toxic combinations" identified. Action should be taken immediately on assets that meet all three criteria: public exposure, high/critical vulnerability rating, and possession of sensitive data.
### For Researchers
This work provides a large-scale empirical baseline for cloud data exposure trends, setting a benchmark against which future security improvements or regressions can be measured. It reinforces the necessity of layered context in cloud security modeling.
## Limitations
The summary provided is a high-level report highlight, meaning the full depth of the methodology regarding specific data classification techniques, vulnerability scoring standards, and the exact definition of "public exposure" (e.g., firewall rules vs. public IP presence) is not detailed here. The report acknowledges that public exposure is sometimes acceptable, implying the analysis relied on context beyond simple network ACL checks.
## Comparison to Prior Work
This builds upon general cloud security posture management (CSPM) research by applying a specialized data-centric lens (DSPM). While prior work might have flagged a public database or an unpatched VM, this research explicitly quantifies the risk amplification when sensitive data is involved in that overlap, offering a superior method for risk prioritization over counting discrete misconfigurations.
## Real-world Applications
- **Risk Reduction Planning:** Security budgets and team effort can be strategically funneled toward the highest-risk 35%, rather than spreading remediation efforts thinly across all 54% surface area.
- **Vendor Risk Management:** Organizations can assess their posture against these industry benchmarks to gauge their preparedness.
## Future Work
The report implicitly suggests future work centered around actionable remediation, such as investigating how organizations are adopting DSPM solutions to effectively automate the correlation required to mitigate these toxic combinations. Further research could explore the root causes (e.g., specific IaC templates or deployment pipelines) leading to these critical misconfigurations.
## References
- Exploring the full report (implied full reference).