'Egregious Eleven' report cites the top security threats to cloud computing
The Cloud Security Alliance has announced the release of its Top Threats to Cloud Computing: The Egregious Eleven, identifying the greatest threats to cloud-based computing efforts.
The new report re-examines the risks inherent with cloud security and takes a new approach, examining the problems inherent in configuration and authentication, rather than the traditional focus on vulnerabilities and malware, the CSA noted. The alliance is the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment.
This year’s report differs from past studies, most noticeably in that many traditional cloud security issues that fall to cloud service providers (CSPs) have dropped off the list, the alliance noted. These include denial of service, shared technology vulnerabilities, CSP data loss and system vulnerabilities, etc. — which were all featured in the previous Treacherous 12.
This suggests that traditional security issues are either being well addressed or are no longer perceived as a significant business risk of cloud adoption, while those that are the result of senior management decisions around cloud strategy and implementation are of increasing concern, the alliance said.
The latest report provides controls recommendations and reference examples meant to be of use to compliance, risk and technology staff.
Following are the Egregious Eleven, ranked in order of significance:
Misconfiguration and inadequate change control
Lack of cloud security architecture and strategy
Insufficient identity, credential, access and key management
Insecure interfaces and APIs
Weak control plane
Metastructure and applistructure failures
Limited cloud usage visibility
Abuse and nefarious use of cloud services
“New, top-ranking items in the survey are more nuanced, and suggest a maturation of security professionals’ understanding of the cloud, and the emerging issues that are harder to address as infrastructure becomes more secure and attackers more sophisticated,” said Jon-Michael C. Brook, co-chair of the Top Threats Working Group and a principal contributor to the study.
“The new issues highlighted in this version of the report are inherently specific to the cloud and suggest a technology landscape where security professionals are actively considering cloud migration,” Brook said. “We hope this Top Threats report raises organizational awareness of the top security issues that require more industry attention and research, ensuring that they are taken into consideration when budgeting for cloud migration and security.”
One of the most important findings of the new report is to confirm the security risks that are prevalent with cloud-based computing.
“The complexity of cloud can be the perfect place for attackers to hide, offering concealment as a launch pad for further harm,” said John Yeoh, global vice president of research for CSA. “Unawareness of the threats, risks and vulnerabilities makes it more challenging to protect organizations from data loss. The security issues outlined in this iteration of the Top Threats report, therefore, are a call to action for developing and enhancing cloud security awareness, configuration and identity management.”