For years now, the cloud computing alliance has been working to identify the top threats to cloud computing. In 2012 they published a survey that identified the top threats to cloud at the time, and two years ago they published The Treacherous 12 Cloud Computing Top Threats in 2016. That report reflected the consensus among security experts in the CSA community regarding the most significant security issues in the cloud.
This year the organization decided to do something different and took a case study analysis of recent real-world breaches.
The report was written by the CSA Top Threats Working Group. That group helps organizations to make better educated cloud adoption risk management decisions. The breaches they identified include:
LinkedIn (The Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Account Hijacking; Denial of Service; Shared Technology Vulnerabilities)
MongoDB (The Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Insecure Interfaces and APIs; Malicious Insiders; Data Loss)
Dirty Cow (The Top Threats: Insufficient Identity, Credential and Access Management; System Vulnerabilities)
Zynga (The Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Malicious Insiders)
Net Traveler (The Top Threats: Data Breaches; Advanced Persistent Threats; Data Loss)
Yahoo! (The Top Threats: Data Breaches; Data Loss; Insufficient Due Diligence)
Zepto (The Top Threats: Data Breaches; Data Loss; Abuse and Nefarious Use of Cloud Services)
DynDNS (The Top Threats: Insufficient Identity, Credential and Access Management; Denial of Service)
Cloudbleed (Top Threats: Data Breaches; Shared Technology Vulnerabilities)
The goal of the Top Threats to Cloud Computing: Deep Dive, is to provide a more technical details dealing with architecture, compliance, risk and mitigations for each of the cloud computing threats and vulnerabilities identified in the Treacherous 12: Top Threats to Cloud Computing (2016).
The case study approach aims to help make clearer how enterprises can better manage cloud risks by learning the lessons to be learned within the nine examples cited in the report.
Each of the cloud breach examples are presented as both a reference chart and a narrative that details how the breach occurred and how it could be manage successfully. Where there weren’t public details, the group made educated ssumptions.
The format of the reference chart provides an attack synopsis of the event from threats and exploited vulnerabilities to relevant security controls and mitigations. The reference chart's format offers an attack-style synopsis of the actor, spanning from threats and vulnerabilities to associated controls and mitigations.
The paper goes on to outline recommended Cloud Controls Matrix (CCM) domains, sorted according to how often controls within the domains are relevant as a mitigating control. [Mitigations and controls applicable to the nine case studies cover 13 of the 16 Cloud Controls Matrix (CCM) domains.
The CSA developed the CCM to define a set of cloud security controls that help enterprises assess the overall security risks. In total, the CCM is comprised of 133 security controls categorized into the 16 domains essential to securing a cloud computing environment.
The goal of the technical deep dive provides detail of how everything fits together from a security analysis standpoint," said Jon-Michael C. Brook, co-chair of the Top Threats Working Group in this news release. This new report provides "actionable information that identify where and how top threats fit in a greater security analysis, while simultaneously providing a clear understanding of how lessons, mitigations and concepts can be applied in real-world scenarios," he said.
"Security professionals recognize that the Treacherous 12 threats provide only a fraction of the whole picture. Other factors, such as actors, risk, vulnerabilities, and impacts, must also be considered," said J.R. Santos, executive vice president/Research at CSA. "To address these missing elements, the Top Threats Working Group decided the next document would provide even greater context that could act as a springboard for architects and engineers conducting their own analysis of security issues in cloud computing and comparisons," he said.