From the commercial outset of cloud computing there’s been as much talk about potential threats as there has been about tried and tested benefits. Initially, ideas about having data or infrastructure off-site were almost unthinkable – but we’ve learned to control our nervous dispositions and, now, it’s hard to think back to a time where we were so clingy.
The trouble is, confidence can tip toward complacency – and it’s an especially tricky balance to keep when that confidence is bolstered by impressive security claims from cloud service providers. As a result, we’re left with the choice of blind faith in providers – or the often-complex task of digging into security issues ourselves.
Fortunately, the Cloud Security Alliance (CSA) recently unveiled a report entitled “Top Threats to Cloud Computing: The Egregious 11” – documenting the 11 most currently relevant risks that go hand-in-hand with cloud technology. If you rely on the cloud for any part of your infrastructure, it’s vital reading.
What’s particularly interesting about the report is the fact that the threats outlined in the organization’s previous report (dubbed the ‘Treacherous 12’) have been largely relegated out of sight. This is a clear illustration of how quickly the cloud security landscape can change – especially considering the last report landed on our desks just three years ago.
What’s included in the report?
The CSA’s report comes as a result of 241 conversations with cloud computing industry experts, and it highlights 2019’s most significant cloud security concerns:
1. Data Breaches
More frequently than ever, data is the main target of cyber-attacks – and, as such, it’s important to define the value of that data and the kind of impact that would be felt if it was lost. Of course, the right encryption helps – and is one of the many uses of VPN technology within companies – but it’s absolutely key that security isn’t sidestepped because of the sometimes negative impact it can have on end-user performance.
2. Misconfiguration and inadequate change control
Where data is stored in misconfigured items, early detection and mitigation is vital to a secure infrastructure. Without early detection, data can be exposed – and the nature of cloud networks mean access to data could be thrown open.
3. Lack of cloud security architecture and strategy
In many cases, complacency is driven by the idea that a business is either unattractive to a cyber-criminal – or is simply too small to worry about having the right architecture in place. Unfortunately, companies of this size tend to be the ones that cannot reopen their doors after an attack – making the right systems and strategies absolutely crucial – from day one.
4. Insufficient identity, credential, access and key management
No business would let a stranger sit at a desk and start exporting and modifying files simply because they said they said they worked for you – yet this is exactly what happens digitally when poor identity, credential, or key management systems are in place. Clearly, the consequences are potentially catastrophic.
5. Account hijacking
In some instances, full user accounts can be compromised – along with the services and data that account has access to. This opens the door to severe reputation damage – along with exposure to legal action if the account hijacking results in data loss or access to third-party data through deception.
6. Insider threat
Sadly, there’s no company that can be 100% certain that no malicious intent is present within their team. As such, protocols for monitoring, containment, investigation, and response should be considered. While these steps are clearly time and resource hungry – the potential downtime and loss of data makes it an investment worth exploring.
7. Insecure interfaces and APIs
Increasingly, APIs and other interfaces are used to ensure smooth integration of systems and applications. While this presents a number of benefits – it also potentially presents a series of ‘backdoors’ into linked infrastructure. As such, compiling inventories that undergo strict testing and auditing should be on your company’s to-do list.
8. Weak control plane
Again, much like the measures taken to ensure interfaces are sound, proper control plane scrutinizing and proactive re-design should be routine in organizations who want to maintain control of their systems.
9. “Metastructure” and “applistructure” failures
Cloud services providers are often quick to extoll the virtues of their platforms – but without throwing open the doors to their penetration testing measures. Visibility should be key – and regular security findings should be published to users
10.Limited cloud usage visibility
Cloud containers can be compromised by a range of threats – and those threats can creep in through a lack of governance, a lack of understand and awareness, and a lack of security. Organizations should have strict controls in place to ensure risks are understood – by everyone with access to the network.
11.Abuse and nefarious use of cloud services
Similar to hijacking accounts – infrastructure services can be diverted at expense to the customer. System users and resource usage should be monitored – otherwise end-user and customer experience could be severely impeded.
What can we learn?
The threats highlighted by the CSA represent something of a shift since their last report in 2016. Back then, issues like data loss, DDOS attacks, and other malicious threats to our domains and online digital assets were considered the most likely threats – but times are changing.
It would probably be unfair to suggest cloud service providers are selling a high-security dream that doesn’t stand the pressure of real-life use – because the aspects of security that they are responsible for seem to be dropping down the list of relevant threats. Instead, we need to look at where the cybercriminals have shifted their focus – and those eyes fall on decision makers in our businesses.
Now, it seems the onus is on end user companies to tighten up their own working practices – rather than simply outsourcing and assuming a cloud service provider can plug all potential security gaps. Company-wide awareness of cloud threats, adequate control plane planning, and credential spoofing aren’t things that a cloud service provider can protect against – but they’re real threats that companies are coming up against every day.
The cloud security risk tide is indeed rising – and where we’ve previously assumed cloud service providers will keep us afloat, it’s time to turn our attention to our immediate digital surroundings – and start plugging the gaps that could compromise what happens much closer to home.