11 cloud vulnerabilities that keep customers up at night.
Cloud Providers-As cloud rises to encompass to more corporate applications, data and processes, there’s potential for end-users to outsource their security to providers as well.
The need to take control of security and not turn ultimate responsibility over to cloud providers is taking hold among many enterprises, an industry survey suggests. The Cloud Security Alliance, which released its survey of 241 industry experts, identified an “Egregious 11” cloud security issues.
The survey’s authors point out that many of this year’s most pressing issues put the onus of security on end user companies, versus relying on service providers. “We noticed a drop in ranking of traditional cloud security issues under the responsibility of cloud service providers. Concerns such as denial of service, shared technology vulnerabilities, and CSP data loss and system vulnerabilities — which all featured in the previous ‘Treacherous 12’ — were now rated so low they have been excluded in this report. These omissions suggest that traditional security issues under the responsibility of the CSP seem to be less of a concern. Instead, we’re seeing more of a need to address security issues that are situated higher up the technology stack that are the result of senior management decisions.”
This aligns with another recent survey from Forbes Insights and VMware, which finds that proactive companies are resisting the temptation to turn security over to their cloud providers — only 31% of leaders report turning over many security measures to cloud providers. (I helped design and author the survey report.) Still, 94% are employing cloud services for some aspects of security.
The latest CSA report highlights this year’s leading concerns:
1. Data breaches. “Data is becoming the main target of cyber attacks,”.the report’s authors point out. “Defining the business value of data and the impact of its loss is essential important for organizations that own or process data.” In addition, “protecting data is evolving into a question of who has access to it,” they add. “Encryption techniques can help protect data, but negatively impacts system performance while making applications less user-friendly.”
2. Misconfiguration and inadequate change control. “Cloud-based resources are highly complex and dynamic, making them challenging to configure. Traditional controls and change management approaches are not effective in the cloud.” The authors state “companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real time.”
3. Lack of cloud security architecture and strategy. “Ensure security architecture aligns with business goals and objectives. Develop and implement a security architecture framework.”
4. Insufficient identity, credential, access and key management. “Secure accounts, inclusive to two-factor authentication and limited use of root accounts. Practice the strictest identity and access controls for cloud users and identities.”
5. Account hijacking. This is a threat that must be taken seriously. “Defense-in-depth and IAM controls are key in mitigating account hijacking.”