When a Vendor Publishes Its Own Weak Spots
Cloud storage benchmarks are common. Honest ones are not. Backblaze's Q1 2026 Performance Stats report is notable precisely because it includes results where Backblaze's own rate limits degraded performance — a level of transparency that almost no vendor offers. The report compares Backblaze B2, AWS S3, Cloudflare R2, and Wasabi Object Storage across US-East and EU-Central regions, with full methodology published alongside the numbers. This is the second report in a planned quarterly series. The ambition is clear: give cloud storage buyers a consistent, comparable data set rather than the cherry-picked figures that typically appear in vendor marketing. For IT and security teams evaluating cloud infrastructure, this kind of transparency is genuinely useful. But performance is only one part of the decision. The question of where your data sits, who can access it, and whether you would know if it left — those questions do not appear in any benchmark report.
What the Benchmark Actually Measures
The Backblaze report covers object storage performance across two major geographic regions. Testing was conducted against four providers: Backblaze B2, AWS S3, Cloudflare R2, and Wasabi. The metrics include throughput, latency, and consistency across upload and download operations. The EU-Central results are particularly relevant for UK and European organisations subject to data residency requirements. Post-Brexit data governance means that where object storage physically sits has legal implications, not just performance ones. A provider that performs well on latency benchmarks but stores data in an ambiguous geographic location creates compliance risk regardless of its speed. Cloudflare R2 has attracted attention for its egress-free pricing model, which eliminates the data transfer fees that make AWS S3 expensive at scale. Wasabi similarly targets cost-sensitive workloads. AWS S3 remains the default choice for organisations already embedded in the AWS ecosystem. Backblaze B2 positions itself as a price-performance alternative, particularly for backup and media workloads. What none of these benchmarks measure: what happens when an attacker targets the data those systems hold.
Why Performance Data Misses the Security Question
Cloud object storage is a primary target for data theft. Misconfigured S3 buckets have exposed hundreds of millions of records over the past decade. The pattern is consistent: organisations prioritise performance and cost during procurement, then discover that security was an afterthought. The risks fall into three categories that performance benchmarks do not address. First, misconfiguration. Object storage buckets are frequently left publicly accessible through incorrect permission settings. According to research published by IBM in its 2024 Cost of a Data Breach Report, misconfiguration and human error accounted for 13% of data breaches that year — and cloud misconfiguration specifically remains one of the most common root causes of large-scale data exposure. Second, credential compromise. Attackers who obtain valid API keys or IAM credentials gain the same access as a legitimate user. No amount of throughput optimisation prevents an attacker from downloading your backup archives if they hold the right credentials. Third, data exfiltration during a wider attack. Ransomware operators no longer simply encrypt files — they extract data first, then threaten to publish it unless payment is made. Cloud storage buckets connected to compromised endpoints become exfiltration staging grounds. The benchmark question of 'how fast can I upload?' becomes the attacker's question too.
- Misconfigured cloud storage permissions remain one of the most common causes of large-scale data exposure
- Compromised API keys or IAM credentials give attackers legitimate-looking access to stored data
- Modern ransomware groups exfiltrate data to cloud destinations before deploying encryption payloads
- Performance and pricing benchmarks contain no data on access controls, audit logging, or breach detection
What Cloud Storage Choice Actually Means for Your Risk Posture
The provider you choose affects your security posture in ways that go beyond configuration settings. Each platform in the Backblaze benchmark carries a different set of security controls, compliance certifications, and incident response capabilities. AWS S3 offers the most mature security tooling of the four — IAM policies, bucket policies, S3 Object Lock, Macie for sensitive data discovery, and CloudTrail for audit logging. The depth of that tooling also means more configuration surface area and more ways to get it wrong. Cloudflare R2 inherits Cloudflare's network security posture and operates without egress fees, which removes a financial disincentive to pulling large datasets out of the platform. From a security standpoint, that cuts both ways: it reduces lock-in, but it also means data movement is cheaper, including for an attacker. Wasabi provides S3-compatible storage with a simpler pricing model. Its security feature set is narrower than AWS, which may suit smaller workloads but requires organisations to compensate with controls at the application or network layer. Backblaze B2 is widely used for backup workloads, including by managed service providers. Backup data frequently contains sensitive material — database exports, email archives, configuration files — that organisations treat as lower priority for access control. Backup storage that is fast to write to and cheap to store in becomes attractive to attackers for exactly the same reasons it is attractive to legitimate users. The choice between providers affects risk, but it does not eliminate it. The controls you apply around whichever provider you select determine whether a compromise becomes a contained incident or a reportable breach.
The Supply Chain Dimension That Benchmarks Ignore
Cloud storage providers are third-party vendors. That sounds obvious, but it has implications that procurement teams consistently underweight. When your backup data sits in Backblaze B2, or your application assets sit in Cloudflare R2, the security of that data depends not only on your own configuration but on the provider's infrastructure, personnel, and incident response capabilities. Third-party risk assessment for cloud storage providers typically amounts to checking whether they hold ISO 27001 certification and reading a shared responsibility model document. Neither exercise tells you much about the actual security posture of the organisation you are trusting with your data. This is where supply chain risk management becomes relevant to a conversation that started with throughput benchmarks. Understanding a vendor's security posture — their patch cadence, their exposure to known vulnerabilities, their history of incidents — requires continuous assessment, not a point-in-time audit. For organisations managing multiple cloud storage relationships, that assessment needs to cover each provider independently. A performance comparison is a starting point for procurement. It is not a substitute for ongoing third-party risk management. Kyanite Blue's Panorays platform provides continuous, automated assessment of third-party security posture, including cloud infrastructure providers. Rather than relying on vendor-supplied questionnaires, Panorays analyses external-facing signals to produce an ongoing risk score for each supplier relationship. More information is available at /products/panorays.
The Data Exfiltration Risk Your Storage Choice Cannot Solve Alone
Whichever provider scores highest in the next Backblaze quarterly report, none of them stops data exfiltration at the endpoint. By the time sensitive data reaches a cloud storage bucket under attacker control, the breach has already occurred. Modern ransomware groups — including operators of LockBit, BlackCat/ALPHV, and Cl0p variants — follow a consistent playbook: establish access, identify valuable data, exfiltrate it to attacker-controlled infrastructure (which may include compromised cloud storage accounts), then deploy ransomware. The extortion leverage comes from the exfiltration, not the encryption. Stopping this requires intervention before data leaves the endpoint or network perimeter. That means monitoring for anomalous data movement patterns, blocking connections to unauthorised cloud destinations, and detecting exfiltration behaviour in real time. BlackFog's anti-data exfiltration (ADX) technology operates at exactly this layer. It monitors outbound data flows, identifies connections to known malicious or unauthorised destinations, and blocks exfiltration attempts before data reaches attacker-controlled storage. This applies whether the attacker is attempting to move data to their own cloud bucket, a compromised third-party account, or a dedicated exfiltration server. For organisations where backup and archive data is stored in cloud object storage, BlackFog adds a control layer that the storage provider itself cannot supply. Full details are at /products/blackfog.
How to Protect Your Business
Cloud storage benchmarks are a useful input to infrastructure decisions. They tell you which provider delivers the throughput and latency your workloads need, and at what cost. What they cannot tell you is whether your data is secure once it sits there — or whether you would detect an attacker accessing it. For organisations managing cloud storage across AWS S3, Backblaze B2, Cloudflare R2, or Wasabi, the practical steps are: First, treat your cloud storage providers as third-party vendors and assess them accordingly. If you are not continuously monitoring their security posture, you are relying on their published certifications alone. Panorays (/products/panorays) provides ongoing third-party risk scoring without manual questionnaire cycles. Second, assume that endpoint compromise will precede cloud storage compromise in any serious attack. An attacker who controls an endpoint connected to your cloud storage environment can enumerate buckets, extract credentials, and begin exfiltration without triggering alerts at the storage layer. BlackFog (/products/blackfog) stops that movement at the point of exfiltration. Third, map your attack surface — including cloud storage integrations, API keys, and connected applications. Exposed credentials or misconfigured storage endpoints are frequently discovered by attackers before they are discovered by the organisations that own them. Hadrian's continuous attack surface management (/products/hadrian) identifies exactly these exposures before they are exploited. If you want to understand your current data exfiltration risk in the context of your cloud infrastructure, you can check your exposure in under two minutes at /data-exfiltration-risk. If you would prefer to speak directly with the Kyanite Blue team about your cloud security posture, contact us at /contact.
Frequently Asked Questions
Which cloud storage provider is most secure: AWS S3, Backblaze B2, Cloudflare R2, or Wasabi?
AWS S3 offers the most extensive native security tooling, including IAM policies, S3 Object Lock, and CloudTrail audit logging. However, security posture depends more on configuration and surrounding controls than on provider choice alone. All four platforms require careful access management, and none prevents data exfiltration at the endpoint layer.
How do ransomware groups use cloud storage in data exfiltration attacks?
Ransomware operators typically exfiltrate data before deploying encryption. They move stolen data to attacker-controlled cloud storage buckets or compromised accounts, then use that data as extortion leverage. Stopping this requires monitoring outbound data flows at the endpoint and network layer — controls that cloud storage providers themselves do not supply.
What is the Backblaze Q1 2026 cloud storage benchmark and what does it cover?
Backblaze's Q1 2026 Performance Stats report benchmarks Backblaze B2, AWS S3, Cloudflare R2, and Wasabi Object Storage across US-East and EU-Central regions, measuring throughput, latency, and consistency. Unusually, it includes results where Backblaze's own rate limits degraded performance. Full methodology is published alongside the results.