All the major promises of the cloud — improved IT efficiency, flexibility and scalability — come with one major challenge: security.
Many organizations can’t delineate where cloud service provider (CSP) responsibilities end and their own responsibilities begin, opening them to numerous vulnerabilities. The increased expansiveness of the cloud also increases an organization’s potential attack surface. To further complicate the matter, traditional security controls often don’t fulfill cloud security needs.
To help companies understand the cloud challenges they’re up against, the Cloud Security Alliance (CSA) went directly to the professionals. A working group of practitioners, architects, developers and C-level staff identified a list of about 25 security threats, which were then analyzed by security professionals who ranked them and narrowed them down further to the 11 most common cloud security challenges.
CCM is a supporting file of CSA Security Guidance, a fourth-generation document outlining various cloud domains and their key goals and objectives.
CCM offers detailed lists of requirements and controls, categorized by control area and control ID, each mapped to its control specifications; architecture relevance; cloud delivery model(s), i.e, SaaS, PaaS and IaaS; and standards and frameworks, such as PCI DSS, NIST and FedRAMP.
A responsibility of both CSPs and their customers, data breaches remained the top cloud security threat yet again this year in CSA’s report. A number of data breaches have been attributed to the cloud over the past years, one of the most notable being Capital One’s cloud misconfigurations. A data breach can bring a company to its knees, causing irreversible damage to its reputation, financial woes due to regulatory implications, legal liabilities, incident response costs and decreased market value.
CSA recommended the following:
CSA Cloud Controls Matrix (CCM) include the following:
When assets are set up incorrectly, they are vulnerable to attack. For example, the Capital One breach was traced back to a web application firewall misconfiguration that exposed Amazon S3 buckets. In addition to insecure storage, excessive permissions and the use of default credentials are two other major sources of vulnerabilities. Related to this, ineffective change control can cause cloud misconfigurations. In on-demand, real-time cloud environments, change control should be automated to support rapid change. A responsibility of the customer, misconfigurations and change control are new to the cloud security threat list.
CSA recommended the following:
CCM specifications include the following:
Too many organizations jump into the cloud without the proper architecture and strategy in place. Prior to making the leap to the cloud, customers must understand the threats they are exposed to, how to migrate to the cloud securely — note, it’s not a lift-and-shift process — and the ins and outs of the shared responsibility model. This threat is new to the list and is a responsibility of the customer. Without proper planning, customers will be vulnerable to cyber attacks that can result in financial losses, reputational damage, and legal and compliance issues.
CSA recommended the following:
CCM specifications include the following:
A majority of cloud security threats — and cybersecurity threats in general — can be linked to identity and access management (IAM) issues.
According to CSA guidance, this stems from the following:
New to the top cloud security challenges list, standard IAM challenges are exacerbated by cloud use. Conducting inventory, tracking, monitoring and managing the sheer number of cloud accounts needed is compounded by provisioning and deprovisioning issues, zombie accounts, excessive admin accounts and users bypassing IAM controls, as well as challenges with defining roles and privileges.
As a customer responsibility, CSA recommended the following:
CCM specifications include the following:
Cloud account hijacking is the disclosure, accidental leakage, exposure or other compromise of a cloud account that is critical to the operation, administration or maintenance of a cloud environment. These highly privileged and sensitive accounts, if breached, can cause massive consequences. From phishing and credential stuffing to weak or stolen credentials to improper coding, account compromise can lead to data breaches and service disruptions.
A responsibility of CSPs and customers, CSA recommended the following:
CCM specifications include the following:
The risks associated with employees and others working within an organization’s network are not limited to the cloud. Whether negligent or intentional, insiders — including current and former employees, contractors and partners — can cause data loss, system downtime, reduced customer confidence and data breaches. A responsibility of the customer, insider threats involving leaked or stolen data, credential issues, human errors and cloud misconfigurations must be addressed.
CSA recommended the following:
CCM specifications include the following:
CSP UIs and APIs through which customers interact with cloud services are some of the most exposed components of a cloud environment. The security of any cloud service starts with how well these are safeguarded and is the responsibility of both customers and CSPs. CSPs must ensure security is integrated, and customers must be diligent in managing, monitoring and securely using what CSA calls the “front door” of the cloud. This threat dropped from the third most important in the last report but is still important to address.
CSA recommended the following:
CCM specifications include the following:
A responsibility of the customer and new to the list this year, the cloud control plane is the collection of cloud administrative consoles and interfaces used by an organization. It also includes data duplication, migration and storage, according to CSA. Improperly secured, a breached control plane could cause data loss, regulatory fines and other consequences, as well as a tarnished brand reputation that could lead to revenue loss.
CSA recommended the following:
CCM specifications include the following:
The metastructure, defined by CSA, is “the protocols and mechanisms that provide the interface between the infrastructure layer and other layers” — in other words, “the glue that ties the technologies and enables management and configuration.” Also known as the waterline, the metastructure is the line of demarcation between CSPs and customers. Many security threats exist here — for example, CSA cited poor API implementation by CSPs or improper cloud app use by customers. Such security challenges could lead to service disruption and misconfigurations with financial and data loss consequences. The applistructure is defined as “the applications deployed in the cloud and the underlying application services used to build them — for example, PaaS features like message queues, AI analysis or notification services.”
A new threat this report, it is a customer and CSP responsibility. CSA recommended the following:
CCM specifications include the following:
Cloud visibility has long been a concern of enterprise admins, but it is new to the CSA cloud security challenges list this report.
Limited visibility results in two key challenges, according to CSA:
New to the list this year, it is a responsibility of CSPs and customers. CSA recommended the following:
CCM specifications include the following:
Just as the cloud can be used for good, it can also be used maliciously by threat actors. Nefarious use of legitimate SaaS, PaaS and IaaS offerings affects individuals, cloud customers and CSPs alike. Disguised as coming from a CSP, customers are especially vulnerable to the misuse of cloud services via the following:
Compromised and abused cloud services can lead to incurred expenses — for example, loss in cryptocurrency or payments made by the attacker; the customer unknowingly hosting malware; data loss; and more.
CSA recommended CSPs be diligent in detecting and mitigating such attacks with an incident response framework. CSPs should also offer tools and controls their customers can use to monitor cloud workloads and applications.
A customer and CSP responsibility, CSA recommended the following:
CCM specifications include the following:
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |