All the major promises of the cloud -- improved IT efficiency, flexibility and scalability -- come with one major challenge: security. Show
Many organizations can't delineate where cloud service provider (CSP) responsibilities end and their own responsibilities begin, opening them to numerous vulnerabilities. The increased expansiveness of the cloud also increases an organization's potential attack surface. To further complicate the matter, traditional security controls often don't fulfill cloud security needs. To help companies understand the cloud challenges they're up against, the Cloud Security Alliance (CSA) went directly to the professionals. A working group of practitioners, architects, developers and C-level staff identified a list of about 25 security threats, which were then analyzed by security professionals who ranked them and narrowed them down further to the 11 most common cloud security challenges:
From there, CSA published its biennial report, "Top Threats to Cloud Computing: The Egregious 11," detailing the threats and whose responsibility they were -- either customer, CSP or both -- and offering steps to help organizations stay protected. Now in its fifth iteration, the latest CSA report revealed some drastic changes. Notably, six of the 11 top threats were new to the list. In addition, none of the threats was the sole responsibility of the CSP; rather each is a responsibility of the customer or of both the CSP and customer together. "We noticed the most popular trends are now things [organizations] have a little bit more control over as a customer," said John Yeoh, global vice president of research at CSA. He attributed the changes to two things: Either companies have a lot more trust in CSPs to do their jobs, or organizations like having control and want to have a better understanding of what they can do in the cloud and how they can use the cloud to meet their specific security requirements. A far as what made this year's list, here are the top 11 threats -- listed in order of severity, according to survey respondents -- along with mitigations for each. 1. Data breachesA responsibility of both CSPs and their customers, data breaches remained the top cloud security threat yet again this year in CSA's report. A number of data breaches have been attributed to the cloud over the past years, one of the most notable being Capital One's cloud misconfigurations. A data breach can bring a company to its knees, causing irreversible damage to its reputation, financial woes due to regulatory implications, legal liabilities, incident response costs and decreased market value. CSA recommended the following:
CSA Cloud Controls Matrix (CCM) specifications (see "CSA Cloud Controls Matrix" sidebar for more info) include the following:
2. Misconfigurations and inadequate change controlWhen assets are set up incorrectly, they are vulnerable to attack. For example, the Capital One breach was traced back to a web application firewall misconfiguration that exposed Amazon S3 buckets. In addition to insecure storage, excessive permissions and the use of default credentials are two other major sources of vulnerabilities. Related to this, ineffective change control can cause cloud misconfigurations. In on-demand, real-time cloud environments, change control should be automated to support rapid change. A responsibility of the customer, misconfigurations and change control are new to the cloud security threat list. CSA recommended the following:
CCM specifications include the following:
3. Lack of cloud security architecture and strategyToo many organizations jump into the cloud without the proper architecture and strategy in place. Prior to making the leap to the cloud, customers must understand the threats they are exposed to, how to migrate to the cloud securely -- note, it's not a lift-and-shift process -- and the ins and outs of the shared responsibility model. This threat is new to the list and is a responsibility of the customer. Without proper planning, customers will be vulnerable to cyber attacks that can result in financial losses, reputational damage, and legal and compliance issues. CSA recommended the following:
CCM specifications include the following:
4. Insufficient identity, credential, access and key managementA majority of cloud security threats -- and cybersecurity threats in general -- can be linked to identity and access management (IAM) issues. According to CSA guidance, this stems from the following:
New to the top cloud security challenges list, standard IAM challenges are exacerbated by cloud use. Conducting inventory, tracking, monitoring and managing the sheer number of cloud accounts needed is compounded by provisioning and deprovisioning issues, zombie accounts, excessive admin accounts and users bypassing IAM controls, as well as challenges with defining roles and privileges. As a customer responsibility, CSA recommended the following: CCM specifications include the following:
5. Account hijackingCloud account hijacking is the disclosure, accidental leakage, exposure or other compromise of a cloud account that is critical to the operation, administration or maintenance of a cloud environment. These highly privileged and sensitive accounts, if breached, can cause massive consequences. From phishing and credential stuffing to weak or stolen credentials to improper coding, account compromise can lead to data breaches and service disruptions. A responsibility of CSPs and customers, CSA recommended the following:
CCM specifications include the following:
6. Insider threatsThe risks associated with employees and others working within an organization's network are not limited to the cloud. Whether negligent or intentional, insiders -- including current and former employees, contractors and partners -- can cause data loss, system downtime, reduced customer confidence and data breaches. A responsibility of the customer, insider threats involving leaked or stolen data, credential issues, human errors and cloud misconfigurations must be addressed. CSA recommended the following:
CCM specifications include the following: 7. Insecure interfaces and APIsCSP UIs and APIs through which customers interact with cloud services are some of the most exposed components of a cloud environment. The security of any cloud service starts with how well these are safeguarded and is the responsibility of both customers and CSPs. CSPs must ensure security is integrated, and customers must be diligent in managing, monitoring and securely using what CSA calls the "front door" of the cloud. This threat dropped from the third most important in the last report but is still important to address. CSA recommended the following:
CCM specifications include the following:
8. Weak control planeA responsibility of the customer and new to the list this year, the cloud control plane is the collection of cloud administrative consoles and interfaces used by an organization. It also includes data duplication, migration and storage, according to CSA. Improperly secured, a breached control plane could cause data loss, regulatory fines and other consequences, as well as a tarnished brand reputation that could lead to revenue loss. CSA recommended the following:
CCM specifications include the following:
9. Metastructure and applistructure failuresThe metastructure, defined by CSA, is "the protocols and mechanisms that provide the interface between the infrastructure layer and other layers" -- in other words, "the glue that ties the technologies and enables management and configuration." Also known as the waterline, the metastructure is the line of demarcation between CSPs and customers. Many security threats exist here -- for example, CSA cited poor API implementation by CSPs or improper cloud app use by customers. Such security challenges could lead to service disruption and misconfigurations with financial and data loss consequences. The applistructure is defined as "the applications deployed in the cloud and the underlying application services used to build them -- for example, PaaS features like message queues, AI analysis or notification services." A new threat this report, it is a customer and CSP responsibility. CSA recommended the following:
CCM specifications include the following:
10. Limited cloud usage visibilityCloud visibility has long been a concern of enterprise admins, but it is new to the CSA cloud security challenges list this report. Limited visibility results in two key challenges, according to CSA:
This limited visibility, CSA said, leads to lack of governance, awareness and security -- all of which can result in cyber attacks, data loss and breaches. New to the list this year, it is a responsibility of CSPs and customers. CSA recommended the following:
CCM specifications include the following: 11. Abuse and nefarious use of cloud servicesJust as the cloud can be used for good, it can also be used maliciously by threat actors. Nefarious use of legitimate SaaS, PaaS and IaaS offerings affects individuals, cloud customers and CSPs alike. Disguised as coming from a CSP, customers are especially vulnerable to the misuse of cloud services via the following:
Compromised and abused cloud services can lead to incurred expenses -- for example, loss in cryptocurrency or payments made by the attacker; the customer unknowingly hosting malware; data loss; and more. CSA recommended CSPs be diligent in detecting and mitigating such attacks with an incident response framework. CSPs should also offer tools and controls their customers can use to monitor cloud workloads and applications. A customer and CSP responsibility, CSA recommended the following:
CCM specifications include the following:
|