The top five security threats in cloud computing
Data breaches are at the top of the list of security threats in the cloud, according to a new report released by Cloud Security Alliance.
For the “Top Threats to Cloud Computing: Egregious Eleven” report, 241 industry experts were interviewed and rated 11 salient threats, risks and vulnerabilities in their cloud environments in order of significance.
This is the fourth instalment of the report, which states that data breaches; misconfiguration and inadequate change control; lack of cloud security architecture and strategy; insufficient identity, credential, access and key management; and account hijacking are the top five threats in cloud computing.
Many cloud security issues that featured in the previous “Treacherous 12” report dropped off the list. These include denial-of-service, shared technology vulnerabilities and data loss.
The report notes this suggests traditional security issues are either being well addressed, or are no longer perceived as a significant business risk of cloud adoption.
Cloud Security Alliance is a global non-profit organisation with a mission to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.
The Cloud Security Alliance Top Threats Working Group is responsible for providing context to assist organisations in making educated risk management decisions regarding their cloud adoption strategies.
Top Threats Working Group co-chairman Jon-Michael C Brook says the issues highlighted in the report suggest a technology landscape where security professionals are actively considering cloud migration.
“We hope this Top Threats report raises organisational awareness of the top security issues that require more industry attention and research, ensuring they are taken into consideration when budgeting for cloud migration and security.”
Cloud Security Alliance global vice-president John Yeoh says the complexity of cloud can be the perfect place for attackers to hide, offering concealment as a launch pad for further harm.
“Unawareness of the threats, risks and vulnerabilities makes it more challenging to protect organisations from data loss. The security issues outlined in this iteration of the Top Threats report, therefore, are a call to action for developing and enhancing cloud security awareness, configuration and identity management.”
The latest worst of the worst
Data breaches: Data is becoming the main target of cyber attacks and the impact of its loss is essentially important for all organisations that own or process data. Protecting data is evolving into a question of who has access to it, states the report.
Misconfiguration and inadequate change control: When misconfiguration occurs, cloud-based resources are highly complex and dynamic, making them too challenging to configure. Traditional controls and change management approaches are not effective in the cloud. Companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real-time, the report advises.
Lack of cloud security architecture and strategy: Companies must ensure cloud security architecture aligns with business goals and objectives. They should develop and implement a security architecture framework and ensure the threat model is continuously kept up to date.
Insufficient identity, credential, access and key management: Companies must secure accounts, and limit their use of root accounts. They must also practise the strictest identity and access controls for cloud users, says the cloud threat report.
Account hijacking: The business impact of account hijacking implies full compromise: control of the account, its services and data within, and is a threat that must be taken seriously.