By Victor Chin, Research Analyst, CSA
On August 6th, 2019, the CSA Top Threats working group released the third iteration of the Top Threats to Cloud Computing report. This is the first blog post in the series where we analyze the security issues in the new iteration of the Top Threats to Cloud Computing report. Each blog post features a security issue that is being perceived as less relevant and one that is being perceived as more relevant.
**Please note that the Top Threats to Cloud Computing reports are not meant to be the definitive list of security issues in the cloud. Rather, the studies are a measure of industry perception of key security issues.
The following security issues from the previous iteration (“The Treacherous Twelve”) appeared again in the latest report.
- Data Breaches
- Account Hijacking
- Insider Threats
- Insecure Interfaces and APIs
- Abuse and Nefarious Use of Cloud Services
At the same time, five new security issues below made their debuts.
- Misconfiguration and Insufficient Change Control
- Lack of Cloud Security Architecture and Strategy
- Weak Control Plane
- Metastructure and Applistructure Failures
- Limited Cloud Usage Visibility made their debuts.
The Overarching Trends
Throughout the three iterations of the report, one particular trend has been increasingly more prominent. Traditional cloud security issues stemming from concerns about having a third-party provider are being perceived as less relevant. Some examples of such issues are Data Loss, Denial of Service, and Insufficient Due Diligence. While more nuanced issues pertaining specifically to cloud environments are increasingly being perceived as more problematic. These include Lack of Cloud Security Architecture and Strategy, Weak Control Plane and Metastructure and Applistructure Failures.
Most and Least Relevant Security Issues
Over the next few weeks, we will examine and try to account for the trend mentioned earlier. Each blog post will feature a security issue that is being perceived as less relevant and one that is being perceived as more relevant. In the first post, we will take a closer look at Insufficient Due Diligence and Lack of Cloud Security Architecture and Strategy.
(In)sufficient Due Diligence
Insufficient Due Diligence was rated 8th and 9th in the first and second iteration of the Top Threats to Cloud Computing report, respectively. In the current report, it has completely dropped off. Insufficient Due Diligence refers to prospective cloud customers conducting cloud service provider (CSP) evaluations to ensure that the CSPs meets the various business and regulatory requirements. Such concerns were especially pertinent during the early years of cloud computing, where there were not many resources available to help cloud customers make that evaluation.
Frameworks to Improve Cloud Procurement
Since then, many frameworks and projects have been developed to make cloud procurement a smooth journey. The Cloud Security Alliance (CSA), for example, has several tools to help enterprises on their journey of cloud procurement and migration.
- The Consensus Assessment Initiative Questionnaire (CAIQ) is a set of questions tailored to helped cloud customers evaluate the security posture of prospective cloud providers. It is based on CSA’s Cloud Controls Matrix (CCM), which is a cloud security controls framework.
- The CAIQ and CCM are further supported by the Security, Trust and Assurance Registry (STAR) program, which is a multi-level assurance framework. The STAR program makes CSP information such as completed CAIQs (Level 1) and third-party audit certifications (Level 2) publicly accessible.
Around the world, we see many similar frameworks and guidances being developed. For example:
- The Federal Risk and Authorization Management Program (FedRAMP) in the US
- Multi-Tier Cloud Security (MTCS) Certification Scheme in Singapore
- The European Security Certification Framework (EU-SEC) in the European Union.
With so many governance, risk and compliance support programs being developed globally, it is understandable that Insufficient Due Diligence has fallen off the Top Threats to Cloud Computing list.
Examining Lack of Cloud Security Architecture and Strategy
Lack of Cloud Security Architecture and Strategy was rated third in The Egregious Elven. Large organizations migrating their information technology stack to the cloud without considering the nuances of IT operations in the cloud environment are creating a significant amount of business risk for themselves. Such organizations fail to plan for the shortcomings that they will experience operating their IT stack in the cloud. Moving workloads to the cloud will result in organizations having less visibility and control over their data and the underlying cloud infrastructure. Coupled with the self-provisioning and on-demand nature of cloud resources, it becomes very easy to scale up cloud resources – sometimes, in an insecure manner. For example, in 2019, Accenture left at least 4 cloud storage buckets unsecured and publicly downloadable. In highly complex and scalable cloud environments without proper cloud security architecture and processes, such misconfigurations can occur easily. For cloud migration and operations to go smoothly, such shortcomings must be accounted for. Organizations can engage a Cloud Security Access Broker (CASB) or use cloud-aware technology to provide some visibility into the cloud infrastructure. Being able to monitor your cloud environment for misconfigurations or exposures will be extremely critical when operating in the cloud.
On a different note, the fact that a Lack of Cloud Security Architecture and Strategy is high up in the Top Threats to Cloud Computing is evidence that organizations are actively migrating to the cloud. These nuanced cloud security issues only crop up post-migration and will be the next tranche of problems for which solutions must be found.
Continue reading the series…
Read our next blog post analyzing the overarching trend of cloud security issues highlighted in the Top Threats to Cloud Computing: Egregious 11 report. Next time we will take a look at Shared Technology Vulnerabilities and Limited Cloud Usage Visibility.