CSA research shows traditional platform-based security issues wane, but management, strategy blunders on the rise
First, the good news: The Cloud Security Alliance says threats connected to cloud service providers like DoS attacks and platform-centric vulnerabilities and data loss are on the decline. The shift toward more dependable defenses on the part of CSPs led the CSA to revise their annual list of cloud computing threats from the Treacherous Twelve to the Egregious Eleven.
Now, the bad news: The remaining 11 are still pretty bad, and senior managers in user organizations are probably to blame for most of them.
The Lowdown: The CSA’s Top Threats to Cloud Computing list, released today, focuses almost entirely on problems inherent in configuration and authentication, a change from previous years, when more traditional vulnerabilities and malware were featured.
The change reflects the new reality in cloud services, where traditional security issues are generally well managed by the major cloud providers, such as Amazon, Microsoft, and Google, and are no longer perceived as a significant business risk for most organizations when contemplating cloud adoption.
The Details: So what’s on the list? A whole lot of questionable senior management decisions around cloud strategy and implementation.
The CSA’s Egregious Eleven are ranked here in order of significance:
1. Data breaches
2. Misconfiguration and inadequate change control
3. Lack of cloud security architecture and strategy
4. Insufficient identity, credential, access, and key management
5. Account hijacking
6. Insider threats
7. Insecure interfaces and APIs
8. Weak control plane
9. “Metastructure” and “applistructure” failures
10. Limited cloud usage visibility
11. Abuse and nefarious use of cloud services
Lest you think the CSA research is all about snark and finger pointing, the report also includes controls recommendations and reference examples meant to be of use to compliance, risk, and technology staff. Read the full report here.
The Buzz: “New, top-ranking items in the survey are more nuanced and suggest a maturation of security professionals’ understanding of the cloud, and the emerging issues that are harder to address as infrastructure becomes more secure and attackers more sophisticated,” said Jon-Michael C. Brook, co-chair of the CSA’s Top Threats Working Group. “The new issues highlighted in this version of the report are inherently specific to the cloud and suggest a technology landscape where security professionals are actively considering cloud migration. We hope this Top Threats report raises organizational awareness of the top security issues that require more industry attention and research, ensuring that they are taken into consideration when budgeting for cloud migration and security,”
“The complexity of cloud can be the perfect place for attackers to hide, offering concealment as a launchpad for further harm. Unawareness of the threats, risks, and vulnerabilities makes it more challenging to protect organizations from data loss,” said John Yeoh, global vice president of research at the CSA. “The security issues outlined in this iteration of the Top Threats report, therefore, are a call to action for developing and enhancing cloud security awareness, configuration, and identity management.”