Egregious 11 Meta-Analysis Part 3: Weak Control Plane and DoS

By Victor Chin, Research Analyst, CSA

This is the third blog post in the series where we analyze the security issues in the new iteration of the Top Threats to Cloud Computing report. Each blog post features a security issue that is being perceived as less relevant and one that is being perceived as more relevant.

In this report, we found that traditional cloud security issues, like those stemming from concerns about having third-party providers, are being reported as less relevant. While more nuanced issues specific to cloud environments are being reported as more problematic. With this in mind, we will be examining Denial of Service and Weak Control Plane further.

 **Please note that the Top Threats to Cloud Computing reports are not meant to be the definitive list of security issues in the cloud. Rather, the studies are a measure of industry perception of key security issues.

Weak Control Plane

Weak control plane featured at the 8th position in the latest iteration of the Top Threats to Cloud Computing report. A weak cloud control plane refers to when a cloud service does not provide adequate or sufficient security controls to meet the security requirements of the customer. One example of a weak control plane is the lack of two-factor authentication and the ability to enforce its usage. Like the other debuting security issues, a weak control plane is something that a customer might only realize after they have migrated to the cloud. 

A key difference between traditional IT and Cloud

A key difference between traditional IT and cloud service applications that might help explain why weak control planes are becoming a problem in cloud services. In traditional IT environments, customer-controlled applications and their security features were designed with the customer as the main user. The application is hosted on the customer’s infrastructure and configured by the customer. The customer has full visibility and control over the application and is thus also responsible for its security. The main role of the IT provider would be to continually provide patches or updates to the application to ensure that bugs and vulnerabilities are fixed.

The situation for cloud services is different because the cloud service is never fully ‘shipped off’ to the customer. The cloud service will always be hosted by the cloud service provider. Hence, they not only have to design a suite of security controls in the cloud service that is useable by their customers. They also have to consider the security mechanism and features that protect the cloud service and the virtual infrastructure that hosts it. Furthermore, due to the nature of cloud services, customers generally cannot use their security tools or technologies to augment the cloud service (i.e. monitoring underlying virtual infrastructure). Both sets of security controls must meet the security, regulatory and compliance requirements of their various customers. With increasingly more enterprises adopting a ‘cloud-first’ policy, cloud service providers are faced with the situation of satisfying various technical security requirements of their many customers. Hence, it is not surprising that some enterprises might find the current security controls inadequate for their business needs. 

 Fulfilling regulatory and security requirements

To sidestep such issues, prospective customers have to do their due diligence when considering cloud migration. Customers have to ensure that the cloud services they wish to use can fulfill their regulatory and security requirements. Prospective cloud customers can use the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire (CAIQ)[2] to that end. The CAIQ is aligned with the Cloud Controls Matrix (CCM) and helps document what security controls exist in IaaS, PaaS and SaaS offerings, providing security control transparency. Furthermore, after cloud migration, customers should continue to monitor their regulatory and compliance landscape and communicate any changes to the cloud service providers. Having an open communication channel helps ensure that cloud service providers can make timely changes to the cloud service to align with changing customer security, compliance, and regulatory requirements.

Denial of Service

Denial of Service was rated 8th and then 11th in the last two iterations of the Top Threats report. In the latest Egregious 11 report, Denial of Service has dropped off the list. Denial of Service can take many forms. It can refer to a network attack such as a Distributed Denial of Service (DDoS) attack or system failure caused by a system administrator. 

Denial of Service (like many other security issues that have dropped off the list), is a security concern stemming from the fact that cloud services are a form of third-party in nature. In the early days of cloud computing, it was natural that enterprises were concerned about service availability when considering cloud migration. These enterprises had valid concerns about the cloud service providers’ network bandwidth as well as their compute and storage capacities. However, over the years, cloud service providers have significantly invested in their infrastructure and now have almost unrivaled bandwidth and processing capabilities. At the same time, cloud service providers have built sophisticated DDoS protection for their customers. For example, Amazon Web Services (AWS) has AWS Shield[3], Microsoft Azure as Azure DDoS Protection[4] and Google Cloud Platform (GCP) has Google Cloud Armor[5].

In spite of all the infrastructure investment and the tools available to help customers mitigate DDoS attacks, other forms of denial of service can still happen. These denial of service incidents are often not malicious but rather occur due to mistakes by the cloud service provider. For example, in May 2019, Microsoft Azure and Office 365 experienced a three-hour outage due to a DNS configuration blunder[6]. Unfortunately, no amount of infrastructure investment or tools can prevent such incidents from happening. Customers have to realize that by migrating to the cloud, they are relishing full control of certain aspects of their IT. They have to trust that the cloud service provider has put in place the necessary precautions to reduce, as much as possible, the occurrence of such incidents. 







Egregious 11 Meta-Analysis Part 2: Virtualizing Visibility

By Victor Chin, Research Analyst, CSA

This is the second blog post in the series where we analyze the security issues in the new iteration of the Top Threats to Cloud Computing report. Each blog post features a security issue that is being perceived as less relevant and one that is being perceived as more relevant.

In this report, we found that traditional cloud security issues stemming from concerns about having a third-party provider are being perceived as less relevant. While more nuanced issues specific to cloud environments are being perceived as more problematic. With this in mind, we will be examining Shared Technology Vulnerabilities and Limited Cloud Usage Visibility further.

**Please note that the Top Threats to Cloud Computing reports are not meant to be the definitive list of security issues in the cloud. Rather, the studies measures what industry experts perceive the key security issues to be.

Shared Technology Vulnerabilities

Shared Technology Vulnerabilities generally refers to vulnerabilities in the virtual infrastructure where resources are shared amongst tenants. Over the years, there have been several vulnerabilities of that nature with the most prominent being the VENOM (CVE-2015-3456)[1] vulnerability that was disclosed in 2015. Shared Technology Vulnerabilities used to be high up on the list of problematic issues. For example, in the first two iterations of the report, Shared Technology Vulnerabilities were rated at 9th and 12th. In the latest iteration of the report, it has dropped off entirely and is no longer perceived by as relevant. It had a score of 6.27 (our cutoff was 7 and above) and ranked 16 out of the 20 security issues surveyed.

Virtualization itself is not a new cloud technology, and its benefits are well known. Organizations have been using virtualization technology for many years as it helps to increase organizational IT agility, flexibility, and scalability while generating cost savings. For example, organizations would only have to procure and maintain one physical asset. That physical IT asset is then virtualized so that its resources are shared across the organization. As the organization owns and manages the entire IT stack, it also has visibility and control over the virtualization technology.

In cloud environments, the situation is markedly different. Virtualization technology (like hypervisors) is generally considered underlying technology that is owned and managed by the cloud service provider. Consequently, the cloud customer has limited access or visibility into the virtualization layer.

For example, the figure on the right is an architectural representation of the three cloud service models. Underlying technology in an Infrastructure-as-a-Service (IaaS) service model refers to APIs (blue) and anything else below it. Those components are under the control and management of the CSP. At the same time, anything above the APIs (blue) is under the control and management of the cloud customer. For Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), underlying technology refers to anything underneath Integration & Middleware and Presentation Modality and Presentation Platform, respectively.

Naturally, in the early days of cloud computing, such vulnerabilities were a significant concern for customers. Not only did they have limited access and visibility into the virtualization layer, but the cloud services were also all multi-tenant systems which contained the data and services of other customers of the CSPs.

Over time, it seems like the industry has grown to trust the cloud service providers when it comes to Shared Technology Vulnerabilities. Cloud adoption is at its highest with many organizations adopting a ‘Cloud First’ policy. However, there is still no industry standard or existing framework that formalizes vulnerability notifications for CSPs, even when a vulnerability is found in the underlying cloud infrastructure. For example, when there is a vulnerability disclosure for a particular hypervisor, (e.g. XEN) an affected CSP does not have to provide any information to its customers. For more information on this issue, please read my other blogpost on cloud vulnerabilities.

That said, it is of note that many recent cloud breaches are the result of misconfigurations by cloud customers. For example, in 2017, Accenture left at least four Amazon S3 buckets set to public and exposed mission-critical infrastructure data. As cloud services developed, the major CSPs have, for the most part, provided sufficient security controls to enable cloud customers to properly configure their environments.

Nevertheless, virtualization technology is a critical component to any cloud service, and vulnerabilities in the virtualization layer can have severe consequences. Cloud customers must remain vigilant when it comes to Shared Technology Vulnerabilities.

Limited Cloud Usage Visibility

In the latest Top Threats to Cloud Computing report, Limited Cloud Usage Visibility made its debut in the 10th position.

Limited Cloud Usage Visibility refers to when organizations experience a significant reduction in visibility over their information technology stack. This is due to two main factors. Firstly, unlike in traditional IT environments, the enterprise does not own or manage the underlying cloud IT infrastructure. Consequently, they are not able to fully implement security controls or monitoring tools with as much depth and autonomy as they did with a traditional IT stack. Instead, cloud customers often have to rely on logs provided to them by the cloud providers. Sometimes, these logs are not as detailed as the customer would like it to be.

Secondly, cloud services are highly accessible. They can generally be accessed from the public internet and do not have to go through a company VPN or gateway. Hence, the effectiveness of some traditional enterprise security tools is reduced. For instance, network traffic monitoring and perimeter firewalls are not as effective as they cannot capture network traffic to cloud services that originate outside the organization. For many organizations, such monitoring capabilities are becoming more critical as they begin to host business-critical data and services in the cloud.

To alleviate the issue, enterprises can start using more cloud-aware technology or services to provide more visibility and control of the cloud environment. However, most of the time, the level of control and granularity cannot match that of a traditional IT environment. This lack of visibility and control is something that enterprises moving to the cloud have to get used to. There will be some level of risk associated to it, and it is a risk that they have to accept or work around. Organizations that are not prepared for this lack of visibility in the cloud might end up not applying the proper mitigations. That or they will find themselves unable to fully realize the cost savings of a cloud migration.

Continue reading the series…

Read our next blog post in this series analyzing the overarching trend of cloud security issues highlighted in the Top Threats to Cloud Computing: Egregious 11 report. We will take a look at Weak Control Plane and Denial of Service.


Egregious 11 Meta-Analysis Part 1: (In)sufficient Due Diligence and Cloud Security Architecture and Strategy  

By Victor Chin, Research Analyst, CSA

On August 6th, 2019, the CSA Top Threats working group released the third iteration of the Top Threats to Cloud Computing report. This is the first blog post in the series where we analyze the security issues in the new iteration of the Top Threats to Cloud Computing report. Each blog post features a security issue that is being perceived as less relevant and one that is being perceived as more relevant.

 **Please note that the Top Threats to Cloud Computing reports are not meant to be the definitive list of security issues in the cloud. Rather, the studies are a measure of industry perception of key security issues.

The following security issues from the previous iteration (“The Treacherous Twelve”) appeared again in the latest report.

  • Data Breaches
  • Account Hijacking
  • Insider Threats
  • Insecure Interfaces and APIs
  • Abuse and Nefarious Use of Cloud Services

At the same time, five new security issues below made their debuts.

  • Misconfiguration and Insufficient Change Control
  • Lack of Cloud Security Architecture and Strategy
  • Weak Control Plane
  • Metastructure and Applistructure Failures
  • Limited Cloud Usage Visibility made their debuts.

The Overarching Trends

Throughout the three iterations of the report, one particular trend has been increasingly more prominent. Traditional cloud security issues stemming from concerns about having a third-party provider are being perceived as less relevant. Some examples of such issues are Data Loss, Denial of Service, and Insufficient Due Diligence. While more nuanced issues pertaining specifically to cloud environments are increasingly being perceived as more problematic. These include Lack of Cloud Security Architecture and Strategy, Weak Control Plane and Metastructure and Applistructure Failures.

Most and Least Relevant Security Issues

Over the next few weeks, we will examine and try to account for the trend mentioned earlier. Each blog post will feature a security issue that is being perceived as less relevant and one that is being perceived as more relevant. In the first post, we will take a closer look at Insufficient Due Diligence and Lack of Cloud Security Architecture and Strategy.

(In)sufficient Due Diligence

Insufficient Due Diligence was rated 8th and 9th in the first and second iteration of the Top Threats to Cloud Computing report, respectively. In the current report, it has completely dropped off. Insufficient Due Diligence refers to prospective cloud customers conducting cloud service provider (CSP) evaluations to ensure that the CSPs meets the various business and regulatory requirements. Such concerns were especially pertinent during the early years of cloud computing, where there were not many resources available to help cloud customers make that evaluation.

 Frameworks to Improve Cloud Procurement

Since then, many frameworks and projects have been developed to make cloud procurement a smooth journey. The Cloud Security Alliance (CSA), for example, has several tools to help enterprises on their journey of cloud procurement and migration.

  • The CAIQ and CCM are further supported by the Security, Trust and Assurance Registry (STAR) program, which is a multi-level assurance framework. The STAR program makes CSP information such as completed CAIQs (Level 1) and third-party audit certifications (Level 2) publicly accessible.

Around the world, we see many similar frameworks and guidances being developed. For example:

  • The Federal Risk and Authorization Management Program (FedRAMP) in the US
  • Multi-Tier Cloud Security (MTCS) Certification Scheme in Singapore
  • The European Security Certification Framework (EU-SEC) in the European Union.

With so many governance, risk and compliance support programs being developed globally, it is understandable that Insufficient Due Diligence has fallen off the Top Threats to Cloud Computing list.

Examining Lack of Cloud Security Architecture and Strategy

Lack of Cloud Security Architecture and Strategy was rated third in The Egregious Elven. Large organizations migrating their information technology stack to the cloud without considering the nuances of IT operations in the cloud environment are creating a significant amount of business risk for themselves. Such organizations fail to plan for the shortcomings that they will experience operating their IT stack in the cloud. Moving workloads to the cloud will result in organizations having less visibility and control over their data and the underlying cloud infrastructure. Coupled with the self-provisioning and on-demand nature of cloud resources, it becomes very easy to scale up cloud resources – sometimes, in an insecure manner. For example, in 2019, Accenture left at least 4 cloud storage buckets unsecured and publicly downloadable. In highly complex and scalable cloud environments without proper cloud security architecture and processes, such misconfigurations can occur easily. For cloud migration and operations to go smoothly, such shortcomings must be accounted for. Organizations can engage a Cloud Security Access Broker (CASB) or use cloud-aware technology to provide some visibility into the cloud infrastructure. Being able to monitor your cloud environment for misconfigurations or exposures will be extremely critical when operating in the cloud.

On a different note, the fact that a Lack of Cloud Security Architecture and Strategy is high up in the Top Threats to Cloud Computing is evidence that organizations are actively migrating to the cloud. These nuanced cloud security issues only crop up post-migration and will be the next tranche of problems for which solutions must be found.

Continue reading the series…

Read our next blog post analyzing the overarching trend of cloud security issues highlighted in the Top Threats to Cloud Computing: Egregious 11 report. Next time we will take a look at Shared Technology Vulnerabilities and Limited Cloud Usage Visibility.

Uncovering the CSA Top Threats to Cloud Computing with Jim Reavis

By Greg Jensen, Sr. Principal Director – Security Cloud Business Group, Oracle

For the few that attend this year’s BlackHat conference kicking off this week in Las Vegas, many will walk away with an in depth understanding and knowledge on risk as well as actionable understandings on how they can work to implement new strategies to defend against attacks. For the many others who don’t attend, Cloud Security Alliance has once again developed their CSA Top Threats to Cloud Computing: The Egregious 11.

I recently sat down with the CEO and founder of CSA, Jim Reavis, to gain a deeper understanding on what leaders and practitioners can learn from this year’s report that covers the top 11 threats to cloud computing – The Egregious 11.

(Greg) Jim, for those who have never seen this, what is the CSA Top Threats to Cloud report and who is your target reader?

(Jim) The CSA Top Threats to Cloud Computing is a research report that is periodically updated by our research team and working group of volunteers to identify high priority cloud security risks, threats and vulnerabilities to enable organizations to optimize risk management decisions related to securing their cloud usage.  The Top Threats report is intended to be a companion to CSA’s Security Guidance and Cloud Controls Matrix best practices documents by providing context around important threats in order to prioritize the deployment of security capabilities to the issues that really matter.

Our Top Threats research is compiled via industry surveys as well as through qualitative analysis from leading industry experts.  This research is among CSA’s most popular downloads and has spawned several translations and companion research documents that investigate cloud penetration testing and real world cloud incidents.  Top Threats research is applicable to the security practitioner seeking to protect assets, executives needing to validate broader security strategies and any others wanting to understand how cloud threats may impact their organization.  We make every effort to relate the potential pitfalls of cloud to practical steps that can be taken to mitigate these risks.

(Greg) Were there any findings in the Top Threats report that really stood out for you?

(Jim) Virtually all of the security issues we have articulated impact all different types of cloud.  This is important as we find a lot of practitioners who may narrow their cloud security focus on either Infrastructure as a Service (IaaS) or Software as a Service (SaaS), depending upon their own responsibilities or biases.  The cloud framework is a layered model, starting with physical infrastructure with layers of abstraction built on top of it.  SaaS is essentially the business application layer built upon some form of IaaS, so the threats are applicable no matter what type of cloud one uses.  Poor identity management practices, such as a failure to implement strong authentication, sticks out to me as a critical and eminently solvable issue.  I think the increased velocity of the “on demand” characteristic of cloud finds its way into the threat of insufficient due diligence and problems of insecure APIs.  The fastest way to implement cloud is to implement it securely the first time. 

(Greg) What do you think are some of the overarching trends you’ve noticed throughout the last 3 iterations of the report?

(Jim) What has been consistent is that the highest impact threats are primarily the responsibility of the cloud user.  To put a bit of nuance around this as the definition of a “cloud user” can be tricky, I like to think of this in three categories: a commercial SaaS provider, an enterprise building its own “private SaaS” applications on top of IaaS or a customer integrating a large number of SaaS applications have the bulk of the technical security responsibilities.  So much of the real world threats that these cloud users grapple with are improper configuration, poor secure software development practices and insufficient identity and access management strategies.

Greg Jensen, Sr Dir of Security, Oracle

(Greg) Are you seeing any trends that show there is increasing trust in cloud services, as well as the CSP working more effectively around Shared Responsibility Security Model?

(Jim) The market growth in cloud is a highly quantifiable indicator that cloud is becoming more trusted.  “Cloud first” is a common policy we see for organizations evaluating new IT solutions, and it hasn’t yet caused an explosion of cloud incidents, although I fear we must see an inevitable increase in breaches as it becomes the default platform.

We have been at this for over 10 years at CSA and have seen a lot of maturation in cloud during that time.  One of the biggest contributions we have seen from the CSPs over that time is the amount of telemetry they make available to their customers.  The amount and diversity of logfile information customers have today does not compare to the relative “blackbox” that existed when we started this journey more than a decade ago.

Going back to the layered model of cloud yet again, CSPs understand that most of the interesting applications customers build are a mashup of technologies.  Sophisticated CSPs understand this shared responsibility for security and have doubled down on educational programs for customers.  Also, I have to say that one of the most rewarding aspects of being in the security industry is observing the collegial nature among competing CSPs to share threat intelligence and best practices to improve the security of the entire cloud ecosystem.

One of the initiatives CSA developed that helps promulgate shared responsibility is the CSA Security, Trust, Assurance & Risk (STAR) Registry.  We publish the answers CSPs provide to our assessment questionnaire so consumers can objectively evaluate a CSP’s best practices and understand the line of demarcation and where their responsibility begins.

(Greg) How does the perception of threats, risks and vulnerabilities help to guide an organization’s decision making & strategy?

(Jim) This is an example of why it is so important to have a comprehensive body of knowledge of cloud security best practices and to be able to relate it to Top Threats.  A practitioner must be able to evaluate using any risk management strategy for a given threat, e.g. risk avoidance, risk mitigation, risk acceptance, etc.  If one understand the threats but not the best practices, one will almost always choose to avoid the risk, which may end up being a poor business decision.  Although the security industry has gotten much better over the years, we still fight the reputation of being overly conservative and obstructing new business opportunities over concerns about security threats.  While being paranoid has sometimes served us well, threat research should be one of a portfolio of tools that helps us embrace innovation.  

(Greg) What are some of the security issues that are currently brewing/underrated that you think might become more relevant in the near future?

(Jim) I think it is important to understand that malicious attackers will take the easy route and if they can phish your cloud credentials, they won’t need to leverage more sophisticated attacks.  I don’t spend a lot of time worrying about sophisticated CSP infrastructure attacks like the Rowhammer direct random access memory (DRAM) leaks, although a good security practitioner worries a little bit about everything. I try to think about fast moving technology areas that are manipulated by the customer, because there are far more customers than CSPs.  For example, I get concerned about the billions of IoT devices that get hooked into the cloud and what kinds of security hardening they have.  I also don’t think we have done enough research into how blackhats can attack machine learning systems to avoid next generation security systems.

Our Israeli chapter recently published a fantastic research document on the 12 Most Critical Risks for Serverless Applications.  Containerization and Serverless computing are very exciting developments and ultimately will improve security as they reduce the amount of resource management considerations for the developer and shrink the attack surface.  However, these technologies may seem foreign to security practitioners used to a virtualized operating system and it is an open question how well our tools and legacy best practices address these areas.

The future will be a combination of old threats made new and exploiting fast moving new technology.  CSA will continue to call them as we see them and try to educate the industry before these threats are fully realized.

(Greg) Jim, it’s been great hearing from you today on this new Top Threats to Cloud report. Hats off to the team and the contributors for this year’s report. Has been great working with them all!

(Jim) Thanks Greg! To learn more about this, or to download a copy of the report, visit us at

Organizations Must Realign to Face New Cloud Realities

Jim Reavis, Co-founder and Chief Executive Officer, CSA

While cloud adoption is moving fast, many enterprises still underestimate the scale and complexity of cloud threats

Technology advancements often present benefits to humanity while simultaneously opening up new fronts in the on-going and increasingly complex cyber security battle. We are now at that critical juncture when it comes to the cloud: While the compute model has inherent security advantages when properly deployed, the reality is that any fast-growth platform is bound to see a proportionate increase in incidents and exposure.

The Cloud Security Alliance (CSA) is a global not-for-profit organization that was launched 10 years ago as a broad coalition to create a trusted cloud ecosystem. A decade later, cloud adoption is pervasive to the point of becoming the default IT system worldwide. As the ecosystem has evolved, so have the complexity and scale of cyber security attacks. That shift challenges the status quo, mounting pressure on organizations to understand essential technology trends, the changing threat landscape and our shared responsibility to rapidly address the resultant issues.

A decade later, cloud adoption is pervasive to the point of becoming the default IT system worldwide. As the ecosystem has evolved, so have the complexity and scale of cyber security attacks. 

There are real concerns that organizations have not adequately realigned for the cloud compute age and in some cases, are failing to reinvent their cyber defense strategies. Symantec’s inaugural Cloud Security Threat Report (CSTR) is a landmark report that shines a light on the current challenges and provides a useful roadmap that can help organizations improve and mature their cloud security strategy. The report articulates the most pressing cloud security issues of today, clarifies the areas that should be prioritized to improve an enterprise security posture, and offers a reality check on the state of cloud deployment.

Cloud in the Fast Lane

What the CSTR reveals and the CSA can confirm is that cloud adoption is moving too fast for enterprises, which are struggling with increasing complexity and loss of control. According to the Symantec CSTR, over half (54%) of respondents agree that their organization’s cloud security maturity is not keeping pace with the rapid expansion of new cloud apps.

The report also revealed that enterprises underestimate the scale and complexity of cloud threats. For example, the CSTR found that most commonly investigated incidents included garden variety data breaches, DDOS attacks and cloud malware injections. However, Symantec internal data shows that unauthorized access accounts for the bulk of cloud security incidents (64%), covering both simple exploits as well as sophisticated threats such as lateral movement and cross-cloud attacks. Companies are beginning to recognize their vulnerabilities–nearly two thirds (65%) of CSTR respondents believe the increasing complexity of their organization’s cloud infrastructure is opening them up to entirely new and dangerous threat vectors.

For example, identity-related attacks have escalated in the cloud, making proper identity and access management the fundamental backbone of security across domains in a highly virtualized technology stack. The speed with which cloud can be “spun up” and the often-decentralized manner in which it is deployed magnifies human errors and creates vulnerabilities that attackers can exploit. A lack of visibility into detailed cloud usage hampers optimal policies and controls.

The report also revealed that enterprises underestimate the scale and complexity of cloud threats.

As CSA delved into this report, we found strong alignment with the best practices research and education we advocate. As the CSTR reveals, a Zero Trust strategy, building out a software-defined perimeter, and adopting serverless and containerization technologies are critical building blocks for a mature cloud security posture.

The CSTR also advises organizations to develop robust governance strategies supported by a Cloud Center of Excellence (CCoE) to rally stakeholder buy-in and get everyone working from the same enterprise roadmap. Establishing security as a continuous process rather than front-loading efforts at the onset of procurement and deployment is a necessity given the frenetic pace of change.

As the CSTR suggests and we can confirm, security architectures must also be designed with an eye towards scalability, and automation and cloud-native approaches like DevSecOps are essential for minimizing errors, optimizing limited man power and facilitating new controls.

While there is a clear strategy for securing cloud operations, too few companies have embarked on the changes. Symantec internal data reports that 85% are not using best security practices as outlined by the Center for Internet Security (CIS). As a result, nearly three-quarters of respondents to the CSTR said they experienced a security incident in cloud-based infrastructure due to this immaturity.

The CSTR is a pivotal first step in increasing that awareness.

The good news is that the users of cloud have a full portfolio of solutions, including multi-factor authentication, data loss prevention, encryption and identity and authentication tools, at their disposal to address cloud security threats along with new processes and an educated workforce. The bad news is that many users of cloud are not aware of the full magnitude of their cloud adoption, the demarcation of the shared responsibility model and the inclination to rely on outdated security best practices. The CSTR is a pivotal first step in increasing that awareness.

Cloud is and will continue to be the epicenter of IT, and increasingly the foundation for cyber security. Understanding how threat vectors are shifting in cloud is fundamental to overhauling and modernizing an enterprise security program and strategy. CSA recommends the Symantec CSTR report be read widely and we look forward to future updates to its findings.

Download 2019 Cloud Security Threat Report >>

Interested in learning more? You can watch our CloudBytes webinar with Jim Reavis, Co-Founder & CEO at Cloud Security Alliance, and Kevin Haley, Director Security Technology and Response at Symantec as they discuss the key findings from the 2019 Cloud Security Threat Report. Watch it here >>

CSA on This Millennium Alliance Podcast

By Cara Bernstein, Manager/Executive Education Partnerships, The Millennium Alliance

top threats interview image

This podcast episode features The Millennium Alliance partner, The Cloud Security Alliance. We sat down with Vince Campitelli, Enterprise Security Specialist, and Jon-Michael C. Brook, Principal, Guide Holdings, LLC, and co-chair of CSA’s Top Threats Working Group, to discuss the work of CSA, the top threats people need to be concerned about and how to best develop an expert cyber team.

Click here to listen and subscribe >>