Cloud Providers Improving Security, But Users Need to Up Their Game

A new report from the Cloud Security Alliance (CSA) on the top threats to cloud computing suggests that service providers are improving their security. Many of today’s threats now stem from organizational management decisions and implementation/configuration weaknesses.

The report suggests that “traditional security issues under the responsibility of the CSP seem to be less of a concern. Instead, we’re seeing more of a need to address security issues that are situated higher up the technology stack that are the result of senior management decisions.”

Several top threats featured in the previous report under the title of ‘Treacherous 12′ (such as denial of service, system vulnerabilities and CSP data loss) now rank so low that they are not included in this years’ ‘Egregious 11’. Threats now refer to areas such as potential control plane weaknesses and poor cloud visibility.

The report is the result of analyzing responses from 241 cloud security experts. In order of significance, the resulting top 11 threats are: data breaches; misconfiguration; lack of security architecture and strategy; poor access control; account hijacking; insiders; insecure APIs; weak control plane; metastructure and applistructure failures; limited visibility; and abuse of cloud services.

Each of the threats is cross-referenced to the CSA’s 16 domain security framework and cloud controls matrix.

“New, top-ranking items in the survey are more nuanced, and suggest a maturation of security professionals’ understanding of the cloud, and the emerging issues that are harder to address as infrastructure becomes more secure and attackers more sophisticated,” says Jon-Michael C. Brook, co-chair of the CSA’s Top Threats Working Group.

Unsurprisingly, a data breach is considered the top threat; but any one or more of the remaining threats could be complicit in leading to a breach.

The second threat, for example (misconfiguration) has frequently led to de facto breaches by leaving unprotected data exposed to anyone who finds it. Examples include the Exactis breach in June 2018 exposing details on 230 million consumers and 110 million businesses; and the exposure of 540 million Facebook records in April 2019.

Causes, says the CSA, are often down to unsecured data storage elements or containers; excessive permissions; default credentials and configuration settings left unchanged; standard security controls disabled; unpatched systems and logging or monitoring disabled, and unrestricted access to ports and services — often caused by a lack of effective change management.

Perhaps the single most common misconfiguration is the fourth threat: insufficient identity, credential, access and key management. This issue goes beyond simply failing to implement the CSP’s basic access control on a stored database, and encompasses a more widespread failure to implement full identity and access management (IAM) controls. “It isn’t that these are necessarily new issues,” says the CSA. “Rather, they are more significant issues when dealing with the cloud because cloud computing profoundly impacts identity, credential, and access management.”

Poor access control may be partly caused by the third threat: a lack of security architecture and strategy. This is frequently an effect of poor understanding in what is entailed in cloud migration. “Data is exposed to different threats when organizations assume that cloud migration is a ‘lift-and-shift’ endeavor of simply porting their existing IT stack and security controls to a cloud environment,” says the CSA. “A lack of understanding of a shared security responsibility model is also another contributing factor.”

The report (PDF) continues to analyze the remaining seven threats, providing examples and linking the discussions to the CSA domains and cloud control matrix. Each one of these threats, or perhaps a combination of several, can lead to the top threat in cloud security — a data breach.

“The complexity of cloud can be the perfect place for attackers to hide, offering concealment as a launchpad for further harm,” warns John Yeoh, global VP of research at the CSA. “Unawareness of the threats, risks and vulnerabilities makes it more challenging to protect organizations from data loss. The security issues outlined in this iteration of the Top Threats report, therefore, are a call to action for developing and enhancing cloud security awareness, configuration and identity management.” 

Related: Accenture Exposed Data via Unprotected Cloud Storage Bucket 

Related: Security Expectations and Mis-Conceptions in Migrating ERP to the Cloud 

Related: Security First in the Cloud Wars 

Related: 3 Public Cloud Security Myths Debunked