Periodically the Cloud Security Alliance publishes a report of the top threats to cloud computing. These reports hope to increase the awareness of risks to cloud computing. What’s interesting this year is that certain threats, including denial of service, shared technology vulnerabilities, and cloud service provider data loss and system vulnerabilities were ranked so low in a survey that they didn’t make the new report. They were all included in the Cloud Security Alliances previous report, the Treacherous 12.
In its latest report, Top Threats to Cloud Computing: Egregious Eleven, the report authors believe that some traditional cloud security issues, when they are the responsibility of the cloud services provider, are less of a concern. So a small survey of experts identified by the Cloud Security Alliance. The report is based on a survey of 241 industry experts.
The report ranked, in order of significance per survey results with applicable previous rankings, the following as the biggest risks:
Data Breaches — the inadvertent exposure of protected data
Misconfiguration and Inadequate Change Control — poor configuration and change management controls
Lack of Cloud Security Architecture and Strategy — design and implementation of a resilient security architecture
Insufficient Identity, Credential, Access and Key Management — poor identity management controls
Account Hijacking — attackers gaining control of protected accounts
Insider Threat — trusted, authorized users taking intentional, or unintentional, actions that harm an organization
Insecure Interfaces and APIs — in cloud systems, the user interface and application preprograming interface are the most exposed aspects of services.
Weak Control Plane — Weak technological controls regarding data duplication, migration, and storage
Metastructure and Applistructure Failures — Poor implementation of APIs and related management information about the system dampens visibility for enterprises into their systems
Limited Cloud Usage Visibility — consumers of cloud services generally have a challenging time seeing whether system use is approved or sanctioned
Abuse and Nefarious Use of Cloud Services — The use of cloud services to launch attacks
There’s not a lot of surprises here, aside from data breach being a category of its own. “A data breach is a cybersecurity incident where sensitive, protected or confidential information is released, viewed, stolen or used by an unauthorized individual. A data breach may be the primary objective of a targeted attack or merely the result of human error, application vulnerabilities or inadequate security practices,” the report authors defined data breach.
It’s obvious that data breaches are a security concern, as data breach is the result of a break in security controls and the unwanted outcome, along with the loss of availability of data and loss of data integrity.
The remaining 10 are an interesting mix of threats and security control risks. The concern about cloud misconfiguration and inadequate change control ranking so high isn’t a surprise, following years of misconfigured cloud storage buckets leading to breached data.
The report puts a fine point on where cloud security has been heading, because of the complexity of cloud in modern environments, the increased reliance on APIs, and the importance of being able to see who can access what has made cloud visibility quite limited.
While malware and software vulnerabilities will remain leading cybersecurity challenges for the foreseeable future, when it comes to cloud security, specifically, this report indicates they’ve taken a backseat to challenges inherent with native cloud security providers and enterprise security management challenges. “This new outlook focuses on configuration and authentication, and shifts away from the traditional focus on information security (e.g., vulnerabilities and malware). Regardless, these security issues are a call to action for developing and enhancing cloud security awareness, configuration, and identity management,” the report states.
It certainly does, but it also means those cloud services providers that continue to enhance security visibility, especially when it comes to data, APIs, and identity, will win in the marketplace.