The Cloud Security Alliance(CSA), an organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, has released a list of the top threats to cloud computing which it has dubbed “The Egregious Eleven.” The new examines the risks inherent with cloud security and looks at the problems inherent in configuration and authentication, rather than the traditional focus on vulnerabilities and malware.
According to CSA, this year’s report differs from past iterations most noticeably in that many traditional cloud security issues that fall to cloud service providers (CSPs)—denial of service, shared technology vulnerabilities, CSP data loss and system vulnerabilities, etc.—which featured in the previous Treacherous 12, have dropped off the list, suggesting that traditional security issues are either being well addressed or are no longer perceived as a significant business risk of cloud adoption, while those that are the result of senior management decisions around cloud strategy and implementation are of increasing concern.
The list of "egregious eleven" includes:
- Data Breaches
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity, credential, access and key management
- Account hijacking
- Insider threat
- Insecure interfaces and APIs
- Weak control plane
- “Metastructure” and “applistructure” failures
- Limited cloud usage visibility
- Abuse and nefarious use of cloud services
“The complexity of cloud can be the perfect place for attackers to hide, offering concealment as a launch pad for further harm. Unawareness of the threats, risks and vulnerabilities makes it more challenging to protect organizations from data loss. The security issues outlined in this iteration of the Top Threats report, therefore, are a call to action for developing and enhancing cloud security awareness, configuration and identity management,” said John Yeoh, global vice president/research for CSA.
For further information, go to www.cloudsecurityalliance.org.