CSA: Top Threats to Cloud Computing
The COVID-19 pandemic irreversibly changed our workplace and work practices, resulting in an increase in the consumption of cloud services. The CSA report on Top Threats to Cloud Computing Pandemic Eleven aims to raise awareness of threats, vulnerabilities, and risks in the cloud. This survey-based report describes the top threats to cloud computing, whether the cloud service provider or cloud customer owns the responsibility, which type of cloud service model it applies to, and provides mappings to the CSA CCM Controls and STRIDE threat analysis.
Here are the top threats ranked by the average survey score.
1. Insufficient Identity, Credentials, Access and Key Management, Privileged Accounts
- Threat/Risk: unauthorised access, excessive permissions, stale accounts, privilege escalation, account takeover, malicious insiders, inadequate visibility, data exfiltration/manipulation.
- Business Impact: decrease in employee productivity and increase in fatigue, lack of compliance and apathy to security, data loss, supply chain disruption, loss of reputation/trust, decline in revenue, expenses and regulatory fines.
- Key Takeaways: segregation of duties, least privilege "need to know", user entitlements review, zero trust architecture, multi-factor authentication, social engineering and account takeover protection.
2. Insecure Interfaces and APIs
- Threat/Risk: unauthenticated endpoints, weak authentication, excessive permissions, data exfiltration/manipulation, deletion or modification of resources, service interruptions.
- Business Impact: unintended exposure of sensitive or private data.
- Key Takeaways: API security/management, cloud-ready change management practices, security test automation, continuous monitoring and remediation of anomalous API traffic.
3. Misconfiguration and Inadequate Change Control
- Threat/Risk: insecure defaults, unpatched systems, unrestricted access, unintended damage to resources, malicious insiders, service interruptions.
- Business Impact: data loss, service disruption, loss of reputation/trust, decline in revenue, non-compliance and regulatory fines.
- Key Takeaways: standardised change management practices, automation via infrastructure as code, approvals for critical workflows, secure deployment pipelines, cloud security posture assessment.
4. Lack of Cloud Security Architecture and Security
- Threat/Risk: insecure design patterns, service interruptions, cyber attacks.
- Business Impact: business continuity and disaster recovery, loss of reputation/trust, high cloud spend, non-compliance and regulatory fines.
- Key Takeaways: implications of business imperatives and legal/compliance requirements, threat profiling/modelling, resilient cloud architectures, shared responsibilities, disaster recovery testing, third-party risk assessments.
5. Insecure Software Development
- Threat/Risk: insecure coding practices, vulnerable software, leaked secrets, compromised artifact repositories, application vulnerabilities (e.g. OWASP Top 10), supply chain exploits and disruption.
- Business Impact: decrease in employee productivity and agility, unintended exposure of sensitive or private data, loss of reputation/trust.
- Key Takeaways: "shift left" security, secure CI/CD pipelines, artifact scans, code provenance, secure software supply chain (esp. for open source software), bug bounty programs.
6. Unsecured Third-Party Resources
- Threat/Risk: vulnerable software, supply chain exploits and disruption.
- Business Impact: data loss, supply chain disruption, loss of reputation/trust, business continuity, non-compliance and regulatory fines.
- Key Takeaways: third-party risk management, secure software supply chain (esp. for open source software), software bill of materials, penetration tests.
7. System Vulnerabilities
- Threat/Risk: insecure defaults, unpatched systems, service interruptions, legacy security protocols, running unnecessary services, zero-day attacks.
- Business Impact: service disruption, loss of reputation/trust, decline in revenue, non-compliance and regulatory fines.
- Key Takeaways: platform/service hardening, strong patch and vulnerability management practices, reduced service footprint, strong authentication.
8. Accidental Cloud Data Disclosure
- Threat/Risk: insecure defaults, excess network exposure, weak authentication and access control, lack of cloud security skills.
- Business Impact: data loss, loss of reputation/trust, decline in revenue, non-compliance and regulatory fines.
- Key Takeaways: platform/service hardening, data discovery, classification, and governance, least privilege "need to know", user entitlements review, cloud security posture assessment.
9. Misconfiguration and Exploitation of Serverless and Container Workloads
- Threat/Risk: insecure defaults, weak authentication and access control, container compromise/escape, lack of cloud security skills.
- Business Impact: service disruption, data loss, high cloud spend.
- Key Takeaways: platform/service hardening, shared responsibilities, automation via infrastructure as code, immutable infrastructure, serverless and container security, observability, cloud security posture assessment.
10. Organised Crime/Hackers/APT
- Threat/Risk: zero-day attacks, lateral movement, phishing, credential stuffing attacks, service interruptions.
- Business Impact: service disruption, loss of employee/customer data, trade secrets and intellectual property, business viability.
- Key Takeaways: threat intelligence subscription, threat profiling/modelling, zero trust architecture, multi-factor authentication, social engineering and account takeover protection, penetration tests and red team assessments.
11. Cloud Storage Data Exfiltration
- Threat/Risk: insecure defaults, weak authentication and access control, application vulnerabilities (e.g. OWASP Top 10), data exfiltration.
- Business Impact: loss of employee/customer data, trade secrets and intellectual property, loss of reputation/trust, regulatory fines.
- Key Takeaways: platform/service hardening, data discovery, classification, and governance, least privilege "need to know", client-side encryption, cloud security posture assessment.
A gist is meant to offer an "escalator preview" of the white paper being reviewed. It is not intended to be exhaustive or to offer an opinion, and readers are encouraged to read the white paper in its entirety for full benefit.