The Inner Circle

 View Only
Expand all | Collapse all

CxO Trust Newsletter - Top Threats to Cloud Computing Brings to Light New Areas of Focus - May 2022

  • 1.  CxO Trust Newsletter - Top Threats to Cloud Computing Brings to Light New Areas of Focus - May 2022

    Posted May 27, 2022 12:21:00 PM
      |   view attached
    Top Threats to Cloud Computing Brings to Light New Areas of Focus
    Sean Heide, Research Technical Director, CSA

    Cloud computing, as well as the security that surrounds its implementation, is an ever increasingly difficult area for most enterprises to get right. Due to the sheer amount of vendors and products that teams use day to day, it has increased the threat surface for businesses, oftentimes going unaddressed. This could perhaps stem from lack of knowledge on key areas of focus, but one could also argue it is in direct correlation with not understanding what risks lie in the hands of the service provider vs. customer. 

    The Top Threats to Cloud Computing report is a release raising awareness around the top threats, vulnerabilities, and risks in the cloud year over year. With over 700 industry experts surveyed, the top identified areas are then highlighted and expanded upon in order to gain a deeper understanding of the cloud landscape. In this year's report, CSA saw a significant change in the order of threats, as well as some new additions that were not seen in previous years reports. This year's report will be released in June at the CxO Trust Summit at RSAC 2022, so please be on the lookout for the links from the CSA homepage.

    Because of the flexibility of the document, the Top Threats report can be used by teams in a multitude of ways. One which is a comparison analysis of findings from the survey versus your own businesses current cloud implementations. Provided in the document are also business impacts for each threat, as well as key takeaways. These takeaways help get a granular picture on potential mitigations or ways to address the area.

    Lastly, the research group during analysis, has helped the reader combine a control framework when looking through each threat. Mapping each threat to the Cloud Controls Matrix V4 (CCM), readers can begin to understand key impact areas in order to build a game plan for moving forward. Because of the CCM's control objectives spanning across all cloud implementation possibilities, this will provide the reader with a 1 for 1 guidance on remediating their own potential cloud vulnerabilities.

    The following are this years order of cloud top threats:

    Security Issue 1: Insufficient Identity, Credentials, Access, and Key Management, Privileged Accounts
    Identity, credential, access management systems include tools and policies that allow organizations to manage, monitor, and secure access to valuable resources. Examples may consist of electronic files, computer systems, and physical resources, such as server rooms and buildings.

    Security Issue 2: Insecure Interfaces and APIs
    API usage continues to grow in popularity, and securing these interfaces has become paramount. APIs, and similar interfaces, potentially include vulnerabilities due to misconfiguration, coding vulnerabilities, as well as a lack of authentication and authorization among other things. These oversights can potentially leave them vulnerable to malicious activity.

    Common examples include:

    1. Unauthenticated endpoints

    2. Weak authentication
    3. Excessive permissions
    4. Standard security controls disabled
    5. Unpatched systems
    6. Logical design issues
    7. Logging or monitoring disabled

    Security Issue 3: Misconfiguration and Inadequate Change Control

    Misconfigurations are the incorrect or sub-optimal setup of computing assets that may leave them vulnerable to unintended damage or external/internal malicious activity. Lack of system knowledge or understanding of security settings and nefarious intentions can result in misconfigurations.

    Security Issue 4: Lack of Cloud Security Architecture and Strategy
    Cloud security strategy and security architecture encompasses the consideration and selection of cloud deployment models, cloud service models, cloud service providers (CSPs), service region availability zone, specific cloud services, general principles, and pre-determinations.

    Security Issue 5: Insecure Software Development
    Software is complex, with cloud technologies tending to add to the complexity . In that complexity, unintended functionality emerges which could allow for the creation of exploits and likely misconfigurations. Thanks to the accessibility of the cloud, threat actors can leverage these "features" more easily than ever before.

    Security Issue 6: Unsecure Third-Party Resources
    Being vigilant in your decision for which vendors to go with is the first step in protecting your business and following a risk first mindset. Unsecured third party resources can bring into your environment potential security flaws, limited integrations, and lack of oversight. Third party resources must be vetted through security reviews, meeting business requirements, and undergoing annual reviews to make sure they are still meeting specific criteria.

    Security Issue 7: System Vulnerabilities
    System vulnerabilities are flaws in cloud service platforms that are exploited in order to compromise confidentiality, integrity, and availability of data, and disrupt service operations.

    Security Issue 8: Accidental Cloud Data Disclosure
    The complexity of the cloud and a shift to cloud-service ownership, with diverse teams and business units, often leads to a lack of security governance and control. Increasing numbers of configurations for cloud resources in different CSPs make misconfigurations more common, and the lack of transparency into cloud inventory and adequate network exposure can lead to unintentional data leaks.


    Security Issue 9: Misconfiguration and Exploitation of Serverless and Container Workloads
    The migration to cloud infrastructure and adoption of DevOps practices have enabled IT teams to deliver value to the business faster than ever. But managing and scaling the infrastructure and security controls to run their applications is still a significant burden on development teams. It also requires teams used to managing legacy infrastructure on-prem to learn new skills like Infrastructure as Code and cloud security.

    Security Issue 10: Organized Crime, Hackers & APT
    Advanced Persistent Threats (APTs) have established sophisticated tactics, techniques, and protocols (TTPs) to infiltrate their targets. It is not uncommon for APT groups to spend months undetected in a target network, allowing them to move laterally towards highly sensitive business data or assets.

    Security Issue 11: Cloud Storage Data Exfiltration
    Cloud storage data exfiltration is an incident in which sensitive, protected, or confidential information is released, viewed, stolen, or used by an individual outside of the organization's operating environment.

    Ultimately, it is up to the reader to interpret these results and the manner in which they are able to use them. As said earlier, there is no one correct way to utilize the Top Threats report. Gap analysis, risk review, threat modeling, or foundational controls references are some of the few ways in which to lead the direction of thought when diving into this document. Use this as a building block when considering what controls to implement, or perhaps even which threats relate most to your specific situation.

    ------------------------------
    Kasia Chaberski
    Marketing Project Manager
    Cyber Security Alliance
    ------------------------------


  • 2.  RE: CxO Trust Newsletter - Top Threats to Cloud Computing Brings to Light New Areas of Focus - May 2022

    Posted May 30, 2022 12:40:00 PM

    This is a great list of security challenges, however it would be interesting to analyze which ones also exist in a non-cloud environment (and I think it is most of them), and which ones might be *better* addressed by cloud providers, given their size and their business imperatives, than by individual clients with lower limits on their own resources.

     

    The idea that the cloud is less secure is often a myth, and management by paranoia doesn't work well.

     

    This is similar to what happens with availability requirements: people read about a once-in-a-blue-moon outage at a major cloud provider, and say "that's unacceptable to my business, I need 99.99% availability." Then you ask them, "what's your current availability level on premises?" Blank stare... they don't know. Or if they know, it may be 99.5%.

     

    Claude Baudoin

     






  • 3.  RE: CxO Trust Newsletter - Top Threats to Cloud Computing Brings to Light New Areas of Focus - May 2022

    Posted May 31, 2022 07:21:00 AM
    Thanks for the additional insight Claude! It would be correct assume that most cloud threats could be a 1 for 1 when it comes to on prem. The attack vectors will generally stay the same, the only key difference is the ownership and responsibility of response given a specific scenario. 

    The Top Threats report itself will actually also contain cloud responsibility between CSP and customer for each threat and risk area. To dig further into this point, each control mapping to the CCM also has specific guidance for a responsibility matrix. This is something that could be highlighted further into these reports, but we saw it best to give a brief overview, and allow individuals to use the CCM references to dig deeper for an understanding of more control plains.

    ------------------------------
    Sean Heide
    Research Analyst
    CSA
    ------------------------------