Trouble here, trouble there, it’s trouble, trouble everywhere in cloud security in 2022. We all know that, but the Cloud Security Alliance (CSA) spells out exactly where the security thunderstorms are today.
- Insufficient identity, credential, access, and key management (#4)
- Insecure interfaces and APIs (#7)
- Misconfiguration and inadequate change control (#2)
- Lack of cloud security architecture and strategy (#3)
- Insecure software development
- Unsecure third-party resources
- System vulnerabilities
- Accidental cloud data disclosure/disclosure
- Misconfiguration and exploitation of serverless and container workloads
- Organized crime/hackers/APT
- Cloud storage data exfiltration
Those numbers at the end? They’re where these problems were rated in CSA’s 2019 survey. Yes, there have been many changes.
Concerns Under User Control
In no small part, that’s because the CSA thinks this marked departure from more generic threats, risks, and vulnerabilities, such as data loss and denial of service, is because cloud and security administrators are more aware of the differences between commonplace security concerns and ones that are truly cloud-based.
Another aspect of it is, if you look closely, that most of these concerns are issues that are directly in the user’s control. These include identity and access management (IAM), cryptography, configuration management, and poor coding practices Users are realizing the burden of securing clouds is now falling on them as well as the cloud provider.
Of course, it doesn’t all fall on users. Number two, user interfaces and application programming interfaces (APIs) are the responsibilities of cloud providers and software providers. As John Yeoh, CSA Global VP of Research, pointed out, “Considering that user interfaces and APIs are the modern way to consume services, it’s concerning that there are still significant challenges when it comes to securing these features.”
After all, Yeoh continued, “The cloud, with its complexity, is the perfect place for attackers to hide and an ideal launchpad for attacks. Add to that the fact that insider threats make it more challenging to protect organizations from data loss and it becomes clear that more industry attention and research is required.”
In addition, insecure software development and third-party software resources, underline that cloud CxOs are painfully aware of the security holes that come with code that doesn’t have software supply chain security.
The laundry list of cloud misconfiguration problems is also concerning. They include:
- Unsecured data storage elements or containers,
- Excessive permissions,
- Default credentials and configuration settings are left unchanged,
- Standard security controls are disabled,
- Unpatched systems,
- Logging or monitoring disabled,
- Unrestricted access to ports and services,
- Unsecured Secrets
It just goes on and on. There’s no surprise that the CSA and other cloud security organizations such as Fugue have found that cloud resource misconfiguration is a leading cause of data breaches.
Security Is Job One
What it all boils down to is as Jon-Michael C. Brook, co-chair of the Top Threats Working Group, and one of the paper’s lead authors, pointed out, “Collectively, these security issues are a call to action for developing and enhancing cloud security awareness, configuration, and identity management. As cloud business models and security tactics evolve, there is an even greater need to address security issues that are situated higher up the technology stack and are the result of senior management decisions.”
In other words, security needs to become job number one for the C-suite officers. They must hire more people to properly secure their clouds. Even with automated tools, there are not enough resources being brought to bear on securing clouds.