11 top cloud security threats

More data and applications are moving to the cloud, which creates unique infosecurity challenges. Here are the "Egregious 11," the top security threats organizations face when using cloud services.

The egregious 11: 11 cloud security threats
Robertiez / Getty Images

Cloud computing continues to transform the way organizations use, store, and share data, applications, and workloads. It has also introduced a host of new security threats and challenges. With so much data going into the cloud—and into public cloud services in particular—these resources become natural targets for bad actors.

“The volume of public cloud utilization is growing rapidly, so that inevitably leads to a greater body of sensitive stuff that is potentially at risk,” says Jay Heiser, vice president and cloud security lead at Gartner, Inc.

Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer. “We are in a cloud security transition period in which focus is shifting from the provider to the customer,” Heiser says. “Enterprises are learning that huge amounts of time spent trying to figure out if any particular cloud service provider is ‘secure’ or not has virtually no payback.”

To provide organizations with an up-to-date understanding of cloud security concerns so they can make educated decisions regarding cloud adoption strategies, the Cloud Security Alliance (CSA) has created the latest version of its Top Threats to Cloud Computing: Egregious Eleven report. The report, released in September, lists the top cloud threats that occurred in 2019.

The report reflects the current consensus among security experts in the CSA community about the most significant security issues in the cloud. While there are many security concerns in the cloud, CSA says, this list focuses on 11 specifically related to the shared, on-demand nature of cloud computing.

To identify the top concerns, CSA conducted a survey of industry experts to compile professional opinions on the greatest security issues within cloud computing. Here are the top cloud security issues (ranked in order of severity per survey results):

1. Data breaches

The threat of data breaches retains its number one ranking in the survey from last year. It’s easy to see why. Breaches can cause great reputational and financial damage. They could potentially result in loss of intellectual property (IP) and significant legal liabilities.

CSA’s key takeaways regarding the data breach threat include:

  • Attackers want data, so businesses need to define the value of its data and the impact of its loss.
  • Who has access to data is a key question to resolve to protect it.
  • Internet-accessible data is the most vulnerable to misconfiguration or exploitation.
  • Encryption can protect data, but with a trade-off in performance and user experience.
  • Businesses need robust, tested incident response plans that take cloud service providers into account.

2. Misconfiguration and inadequate change control

This is a new threat to the CSA list, and not surprising given the many examples of businesses accidently exposing data via the cloud. For example, CSA cites the Exactis incident where the provider left an Elasticsearch database containing personal data of 230 million US consumers publicly accessible due to misconfiguration. Just as damaging was the case where Level One Robotics exposed IP belonging to more than 100 manufacturing companies thanks to a misconfigured backup server.

It’s not just the loss of data that companies have to worry about here, according to the CSA, but deletion or modification of resources done with the intent to disrupt business. The report blames poor change control practices for most of the misconfiguration errors.

CSA’s key takeaways regarding misconfiguration and inadequate change control include:

  • The complexity of cloud-based resources makes them difficult to configure.
  • Don’t expect traditional controls and change management approaches to be effective in the cloud.
  • Use automation and technologies that scan continuously for misconfigured resources.

3. Lack of cloud security architecture and strategy

This problem is as old as the cloud. The desire to minimize the time needed to migrate systems and data to the cloud usually takes precedence over security. As a result, the company becomes operational in the cloud using security infrastructure and strategies that were not designed for it. The fact that this showed up on the list for 2020 indicates that more companies recognize it as a problem.

CSA’s key takeaways regarding lack of cloud security architecture and strategy include:

  • The security architecture needs to align with business goals and objectives.
  • Develop and implement a security architecture framework.
  • Keep threat models up to date.
  • Deploy continuous monitoring capability.

4. Insufficient identity, credential, access and key management

Another threat new to the list is inadequate access management and control around data, systems and physical resources like server rooms and buildings. The report notes that the cloud requires organizations to change practices related to identity and access management (IAM). Consequences of not doing so, according to the report, could result in security incidences and breaches caused by:

  • Inadequately protected credentials
  • Lack of automated rotation of cryptographic keys, passwords and certificates
  • Lack of scalability
  • Failure to use multi-factor authentication
  • Failure to use strong passwords

CSA’s key takeaways regarding insufficient identity, credential, access and key management include:

  • Secure accounts, including the use of two-factor authentication.
  • Use strict identity and access controls for cloud users and identies--in particular, limit the use of root accounts.
  • Segregate and segment accounts, virtual private clouds and identity groups based on business needs and the principle of least privilege.
  • Take a programmatic, centralized approach to key rotation.
  • Remove unused credentials and access privileges.

5. Account hijacking

Account hijacking remains the fifth biggest cloud threat this year. As phishing attempts become more effective and targeted, the risk of an attacker gaining access to highly privileged accounts is significant. Phishing is not the only way an attacker can gain credentials. They can also acquire them by compromising the cloud service itself of stealing them through other means.

Once an attacker can enter the system using a legitimate account, they can cause a great deal of disruption, including theft or destruction of important data, halting service delivery, or financial fraud. CSA recommends educating users to the dangers and signs of account hijacking to minimize the risk.

CSA’s key takeaways regarding account hijacking include:

  • Don’t just do a password reset when account credentials are stolen. Address the root causes.
  • A defense-in-depth approach and strong IAM controls are the best defense.

6. Insider threats

Threats from trusted insiders are just as serious in the cloud as they are with on-premise systems. Insiders can be current or former employees, contractors, or a trusted business partner—anyone who doesn’t have to break through a company’s defenses to access its systems.

An insider does not need to have malicious intent to do damage; they could unintentionally put data and systems at risk. CSA cites the Ponemon Institute’s 2018 Cost of Insider Threats study, which states that 64% of all reported insider incidents were due to employee or contractor negligence. That negligence could include misconfigured cloud servers, storing sensitive data on a personal device, or falling victim to a phishing email.

CSA’s key takeaways regarding insider threats include:

  • Conduct employee training and education on proper practices to protect data and systems. Make education an ongoing process.
  • Regularly audit and fix misconfigured cloud servers.
  • Restrict access to critical systems.

7. Insecure interfaces and APIs

Falling to number seven from number three last year, insecure interfaces and APIs are a common attack vector, as Facebook knows. In 2018, the social media service experienced a breach that affected more than 50 million accounts that was the result of a vulnerability introduced in its View As feature. Especially when associated with user interfaces, API vulnerabilities can give attackers a clear path to stealing user or employee credentials.

The CSA report says organizations need to understand that APIs and user interfaces are ofte the most exposed parts of a system, and it encourages a security by design approach to building them.

CSA’s key takeaways regarding insecure interfaces and APIs include:

  • Employ good API practices such as oversight of items like inventory, testing, auditing and abnormal activity protections.
  • Protect API keys and avoid reuse.
  • Consider an open API framework such as the Open Cloud Computing Interface (OCCI) or Cloud Infrastructure Management Interface (CIMI).

8. Weak control plane

A control plane encompasses the processes fro data duplication, migration and storage. The control plane is weak if the person in charge of these processes does not have full control over the data infrastructure’s logic, security and verification, according to the CSA. The controlling stakeholders need to understand the security configuration, how data flows, and the architectural blinds spots or weaknesses. Failure to do so could result in data leakage, inavailability of data, or data corruption.

CSA’s key takeaways regarding a weak control plane include:

  • Make sure the cloud service provider offers the security controls needed to fulfill legal and statutory obligations.
  • Perform due diligence to ensure the cloud service provider possesses an adequate control plane.

9. Metastructure and applistructure failures

A cloud service provider’s metastructure holds security information on how it protects its systems, and it discloses that information via API calls. CSA calls the metastructure the cloud service provider/customer “line of demarcation” or “waterline.” The APIs help customers detect unauthorized access, but also contain highly sensitive information such as logs or audit system data.

This waterline is also a potential point of failure that could give attackers access access to data or the ability to disrupt cloud customers. Poor API implementation is often the cause of a vulnerability. CSA notes that immature cloud service providers might not know how to properly make APIs available to its customers, for example.

Customers, on the other hand, might not understand how to properly implement cloud applications. This is particularly true when they connect applications that were not designed for cloud environments.

CSA’s key takeaways regarding metastructure and applistructure failures include:

  • Make sure the cloud service provider offers visibility and exposes mitigations.
  • Implement appropriate features and controls in cloud-native designs.
  • Make sure the cloud service provider conducts penetration testing and provides findings to customers.

10. Limited cloud usage visibility

A common complaint among security professionals is that a cloud environment makes them blind to much of the data they need to detect and prevent malicious activity. The CSA breaks down this limited usage visibility challenge into two categories: Unsanctioned app use and sanctioned app misuse.

Unsanctioned apps are essentially shadow IT—applications employees use without permission or support of IT or security. Any app that does not meet corporate guidelines for security represents a risk that the security team might be unaware of.

Sanctioned app misuse might be an authorized person using an approved app or an external threat actor using stolen credentials. Security teams need to be able to tell the difference between valid and invalid users by detecting out-of-norm behaviors, the CSA report said.

CSA’s key takeaways regarding limited cloud usage visibility include:

  • Develop a cloud visibility effort from the top down that ties into people, processes, and technology.
  • Conduct mandatory company-wide training on accepted cloud usage policies and enforcement.
  • Have the cloud security architect or third-party risk management personnel eview all non-approved cloud services.
  • Invest in a cloud access security broker (CASB) or software-defined gateways (SDG) to analyze outbound activities.
  • Invest in a web application firewall to analyze inbound connections.
  • Implement a zero-trust model across the organization.

11. Abuse and nefarious use of cloud services

Attackers are increasingly using legitimate cloud services to support their activities. For example, they might use a cloud service to host disguised malware on sites like GitHub, launch DDoS attacks, distribute phishing email, mine digital currency, execute automated click fraud, or carry out a brute-force attack to steal credentials.

The CSA said that cloud service providers should have mitigations in place to prevent and detect abuse such as payment instrument fraud or misuse of cloud services. It’s also important for cloud providers to have an incident response framework in place to respond to misuse and allow customers to report misuse.

CSA’s key takeaways regarding abuse and misuse of cloud services include:

  • Monitor employees’ cloud usage for abuse.
  • Employ cloud data loss prevention (DLP) solutions to monitor and stop data exfiltration.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies