If one other thing besides death and taxes is certain, it is that cloud security will remain a key talking point. Whose responsibility is it exactly – and why does the shared responsibility model continue to cause havoc?
Some areas however can be nailed down much more solidly. The Cloud Security Alliance (CSA) has issued what it calls the ‘egregious 11’ in its latest report, giving organisations an up-to-date list of the biggest cloud security concerns to aid better risk management decision making.
Many of the biggest security risks are ones which regular readers of this publication will be more than familiar. Data breaches, insider threats and account hijacking, along with account misconfiguration, are usually at the sharp end of any public snafus, from Capital One in the former, to Facebook in the latter.
As a result, the CSA recommendations are more mantras than anything new. Data is rapidly becoming the primary target for cyberattacks, while data accessible via the Internet is the most vulnerable asset to misconfiguration. Companies need to bring automation into the equation to remediate any misconfiguration issues.
The section subtitled ‘lack of cloud security architecture and strategy’ is an interesting one – and it is here where the report notes the lack of awareness around shared responsibility as key. “The functionality and speed of migration often take precedence over security,” the report notes. “Implementing security architecture and developing a robust security strategy will provide organisations with a strong foundation to operate and conduct business activities in the cloud.
“Leveraging cloud-native tools to increase visibility in cloud environments will also minimise risk and cost. Such precautions, if taken, will significantly reduce the risk of compromise.”
There is some good news, however. The previous report from the CSA focused around what it called the ‘treacherous 12’. Even for those with a less-than-stellar grasp of mathematics, it is worth noting things are going in the right direction, albeit slowly.
The report argues that many traditional cloud security issues which fall to vendors are no longer seen as a major threat. These include denial of service, shared technology vulnerabilities, and CSP data loss.
Yet while these areas can be seen as being well addressed, the other interpretation is that security issues which are the result of management decisions around cloud strategy and implementation are of much more concern.
“The complexity of cloud can be the perfect place for attackers to hide, offering concealment as a launchpad for further harm,” said John Yeoh, CSA global vice president of research. “Unawareness of the threats, risks and vulnerabilities makes it more challenging to protect organisations from data loss.
“The security issues outlined in this iteration of the report, therefore, are a call to action for developing and enhancing cloud security awareness, configuration and identity management,” Yeoh added.
You can download and read the full report here (email required).
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.