Emerging Cloud Security Issues Pose Bigger Challenge
A new cloud security report shows security professionals have an advanced understanding of the cloud, while emerging issues are harder to address as infrastructure becomes more secure and attackers more sophisticated.
The Cloud Security Alliance (CSA) report, Top Threats to Cloud Computing: The Egregious Eleven, re-examines the risks inherent with cloud security and takes a new approach, examining the problems tied to configuration and authentication, rather than the traditional focus on vulnerabilities and malware.
Greg Jensen, Oracle‘s senior principal director of cloud security, tells us all of the security issues highlighted impact all different types of cloud.
“This is important as we find a lot of practitioners who may narrow their cloud security focus on either IaaS or SaaS, depending upon their own responsibilities or biases,” he said. “The cloud framework is a layered model, starting with physical infrastructure with layers of abstraction built on top of it. SaaS is essentially the business application layer built upon some form of IaaS, so the threats are applicable no matter what type of cloud one uses. Poor identity-management practices, such as a failure to implement strong authentication, sticks out to me as a critical and eminently solvable issue. I think the increased velocity of the ‘on demand’ characteristic of cloud finds its way into the threat of insufficient due diligence and problems of insecure APIs. The fastest way to implement cloud is to implement it securely the first time.”
This year’s report differs from past reports in that many traditional cloud security issues that fall to cloud service providers (CSPs) – denial of service threats, shared technology vulnerabilities, CSP data loss and system vulnerabilities and so on – have dropped off the list. This suggests that traditional security issues either are being well addressed or are no longer perceived as a significant business risk of cloud adoption. Issues that are the result of senior management decisions around cloud strategy and implementation are of increasing concern.
The latest report highlights the following Egregious Eleven (ranked in order of significance):
- Data breaches
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity, credential, access and key management
- Account hijacking
- Insider threats
- Insecure interfaces and APIs
- Weak control plane
- Poor API implementation by the cloud provider
- Limited cloud usage visibility
- Abuse and nefarious use of cloud services
“What has been consistent is that the highest-impact threats are primarily the responsibility of the cloud user,” Jensen said. “To put a bit of nuance around this as the definition of a cloud user can be tricky, I like to think of this in three categories: a commercial SaaS provider, an enterprise building its own private SaaS applications on top of IaaS, or a customer integrating a large number of SaaS applications have the bulk of the technical security responsibilities. So much of the real-world threats that these cloud users grapple with are improper configuration, poor secure software development practices and insufficient identity and access management strategies.”
“The new issues highlighted in this version of the report are inherently specific to the cloud and suggest a technology landscape where security professionals are actively considering cloud migration,” said Jon-Michael Brook, co-chair of the Top Threats Working Group and a principal contributor to the industry. “We hope this top threats report raises organizational awareness of the top security issues that require more industry attention and research, ensuring that they are taken into consideration when budgeting for cloud migration and security,”