How to prevent the top 11 threats in cloud computing

The latest risks involved in cloud computing point to problems related to configuration and authentication rather than the traditional focus on malware and vulnerabilities, according to a new Cloud Security Alliance report.

How the cloud is evolving to improve enterprise security Microsoft's executive vice president Jason Zander sat down with Dan Patterson to discuss cloud migration and how it benefits security in the enterprise.

Using the cloud to host your business's data, applications, and other assets offers several benefits in terms of management, access, and scalability. But the cloud also presents certain security risks. Traditionally, those risks have centered on areas such as denial of service, data loss, malware, and system vulnerabilities. A report released Tuesday by the Cloud Security Alliance argues that the latest threats in cloud security have now shifted to decisions made around cloud strategy and implementation.

Based on a survey of 241 industry experts on security issues in the cloud industry, the CSA's report Top Threats to Cloud Computing: The Egregious 11 focused on 11 notable threats, risks, and vulnerabilities in cloud environments. For each threat described, the report highlights the business impact, specific examples, and recommendations in the form of key takeaways.

1. Data breaches

A data breach can be any cybersecurity incident or attack in which sensitive or confidential information is viewed, stolen, or used by an unauthorized individual.

Business Impact

  • Data breaches can damage a company's reputation and foster mistrust from customers and partners.
  • A breach can lead to the loss of intellectual property (IP) to competitors, impacting the release of a new product.
  • Regulatory implications many result in financial loss.
  • Impact to a company's brand could affect its market value.
  • Legal and contractual liabilities may arise.
  • Financial expenses may occur as a result of incident response and forensics.

Key Takeaways and Recommendations

  • Defining the business value of data and the impact of its loss is essential for organizations that own or process data.
  • Protecting data is evolving into a question of who has access to it.
  • Data accessible via the Internet is the most vulnerable asset for misconfiguration or exploitation.
  • Encryption techniques can protect data but can also hamper system performance and make applications less user-friendly.
  • A robust and well-tested incident response plan that considers the cloud provider and data privacy laws can help data breach victims recover.

2. Misconfiguration and inadequate change control

Misconfiguration occurs when computing assets are set up incorrectly, leaving them vulnerable to malicious activity. Some examples of misconfiguration include: Unsecured data storage elements or containers, excessive permissions, unchanged default credentials and configuration settings, standard security controls left disabled, unpatched systems and logging or monitoring left disabled, and unrestricted access to ports and services.

Business Impact

The business impact depends on the nature of the misconfiguration, and how quickly it is detected and resolve. The most common issue is the exposure of data stored in cloud repositories.

Key Takeaways and Recommendations

  • As cloud-based resources can be complex and dynamic, they can prove challenging to configure.
  • Traditional controls and approaches for change management are not effective in the cloud.
  • Companies should embrace automation and use technologies that continuously scan for misconfigured resources and remediate problems in real time.

3. Lack of cloud security architecture and strategy

As companies migrate parts of their IT infrastructure to the public cloud, one of the largest challenges is implementing the proper security to guard against cyber attacks. Assuming that you can just "lift and shift' your existing, internal IT stack and security controls to the cloud can be a mistake.

Business Impact

Proper security architecture and strategy are required for securely moving, deploying, and operating in the cloud. Successful cyberattacks due to weak security can lead to financial loss, reputational damage, legal repercussions, and fines.

Key Takeaways and Recommendations

  • Make sure that security architecture aligns with your business goals and objectives.
  • Develop and implement a security architecture framework.
  • Ensure that the threat model is kept up to date.
  • Bring continuous visibility into the actual security posture.

4. Insufficient identity, credential, access and key management

Security incidents and breaches can occur due to the inadequate protection of credentials, a lack of regular automated rotation of cryptographic keys and passwords, a lack of scalable identity and credential management systems, a failure to use multifactor authentication , and a failure to use strong passwords.

Business Impact

Insufficient identity, credential, or key management can enable unauthorized access to data. As a result, malicious actors masquerading as legitimate users can read, modify, and delete data. Hackers can also issue control plane and management functions, snoop on data in transit, and release malware that appears to come from a legitimate source.

Key Takeaways and Recommendations

  • Secure accounts that are inclusive to two-factor authentication and limit the use of root accounts.
  • Practice the strictest identity and access controls for cloud users and identities.
  • Segregate and segment accounts, virtual private clouds (VPCs), and identity groups based on business needs and the principle of least privilege.
  • Rotate keys, remove unused credentials and privileges, employ central and programmatic key management.

5. Account hijacking

Through account hijacking, attackers gain access to and abuse accounts that are highly privileged or sensitive. In cloud environments, the accounts at greatest risk are cloud service accounts or subscriptions.

Business Impact

  • As account hijacking implies full compromise and control of an account, business logic, function, data, and applications reliant on the account can all be at risk.
  • The fallout from account hijacking can be severe. Some recent breach cases lead to significant operational and business disruptions, including the complete elimination of assets, data, and capabilities.
  • Account hijacking can trigger data leaks that lead to reputational damage, brand value degradation, legal liability exposure, and sensitive personal and business information disclosures.

Key Takeaways and Recommendations

  • Account hijacking is a threat that must be taken seriously.
  • Defense-in-depth and IAM controls are key in mitigating account hijacking.

6. Insider threats

Insiders don't have to break through firewalls, virtual private networks (VPNs), and other security defenses and instead operate on a trusted level where they can directly access networks, computer systems, and sensitive data.

Business Impact

  • Insider threats can result in the loss of proprietary information and intellectual property.
  • System downtime associated with insder attacks can impact company productivity.
  • Data loss can reduce confidence in company services.
  • Dealing with insider security incidents requires containment, remediation, incident response, investigation, post-incidence analysis, escalation, monitoring, and surveillance, all of which can add to a company's workload and security budget.

Key Takeaways and Recommendations

  • Take measures to minimize insider negligence to mitigate the consequences of insider threats.
  • Provide training to your security teams to properly install, configure, and monitor your computer systems, networks, mobile devices, and backup devices.
  • Provide training to your regular employees to inform them how to handle security risks, such as phishing and protecting corporate data they carry outside the company on laptops and mobile devices.
  • Require strong passwords and frequent password updates.
  • Inform employees of repercussions related to engaging in malicious activity.
  • Routinely audit servers in the cloud and on-premises, and then correct any changes from the secure baseline set across the organization.
  • Make sure that privileged access security systems and central servers are limited to a minimum number of employees, and that these individuals include only those with the training to handle the administration of mission-critical computer servers.
  • Monitor access to all computer servers at any privilege level.

7. Insecure interfaces and APIs

APIs (Application Programming Interfaces) and UIs (User Interfaces) are typically the most exposed parts of a system, often the only asset with a public IP address available outside the trusted boundary. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent security.

Business Impact

Though most cloud providers try to integrate security into their models, cloud customers must also understand the security implications. A weak set of interfaces and APIs exposes organizations to various security issues related to confidentiality, integrity, availability, and accountability.

Key Takeaways and Recommendations

  • Practice good API hygiene. This includes the diligent oversight of items such as inventory, testing, auditing, and abnormal activity protections.
  • Ensure the proper protection of API keys and avoid reuse.
  • Consider using standard and open API frameworks (e.g., Open Cloud Computing Interface (OCCI) and Cloud Infrastructure Management Interface (CIMI)).

8. Weak control plane

The control plane enables the security and integrity to complement the data plane, which provides the stability of the data. A weak control plane means the person in charge is not in full control of the data infrastructure's logic, security, and verification.

Business Impact

  • A weak control plane could result in data loss, either by theft or corruption. Regulatory punishment for data loss may be incurred as well.
  • With a weak control plane, users may also be unable to protect their cloud-based business data and applications.

Key Takeaways and Recommendations

  • Adequate security controls provided through a cloud provider are necessary so that cloud customers can fulfill their legal and statutory obligations.
  • Cloud customers should perform due diligence and determine if the cloud service they intend to use possesses an adequate control plane.

9. Metastructure and applistructure failures

Potential failures exist at multiple levels in the metastructure and applistructure model. For example, poor API implementation by the cloud provider offers attackers an opportunity to disrupt cloud customers by interrupting confidentiality, integrity, or availability of the service.

Business Impact

Metastructure and applistructure are critical components of a cloud service. Failures involving these features at the cloud provider level can severely impact all service consumers. At the same time, misconfigurations by the customer could disrupt the user financially and operationally.

Key Takeaways and Recommendations

  • Cloud providers must offer visibility and expose mitigations to counteract the cloud's inherent lack of transparency for customers.
  • Cloud customers should implement appropriate features and controls in cloud native designs.
  • All cloud providers should conduct penetration testing and provide findings to customers.

10. Limited cloud usage visibility

Limited cloud usage visibility occurs when an organization does not have the ability to visualize and analyze whether cloud service use within the organization is safe or malicious.

Business Impact

  • Lack of governance. When employees are unfamiliar with proper access and governance controls, sensitive corporate data can be placed in public access locations vs. private access locations.
  • Lack of awareness. When data and services are in use without the knowledge of the company, they are unable to control their IP. That means the employee has the data, not the company.
  • Lack of security. When an employee incorrectly sets up a cloud service, it can become exploitable not only for the data that resides on it but for future data.Malware, botnets, cryptocurrency mining malware, and more can compromise cloud containers, putting organizational data, services, and finances at risk.

Key Takeaways and Recommendations

  • Mitigating these risks starts with the development of a complete cloud visibility effort from the top down. This process usually starts with creating a comprehensive solution that ties into people, process, and technology.
  • Mandate company-wide training on accepted cloud usage policies and enforcement.
  • All non-approved cloud services should be reviewed and approved by the cloud security architect or third-party risk management.
  • Invest in solutions like cloud access security brokers (CASB) or software defined gateway (SDG) to analyze outbound activities and help discover cloud usage, at-risk users, and to follow the behavior of credentialed employees to identify anomalies.
  • Invest in a web application firewall (WAF) to analyze all inbound connections to your cloud services for suspicious trends, malware, distributed denial-of-service (DDoS), and Botnet risks.
  • Select solutions that are specifically designed to monitor and control all of your key enterprise cloud applications (enterprise resource planning, human capital management, commerce experience, and supply chain management) and ensure suspicious behaviors can be mitigated.
  • Implement a zero-trust model across your organization.

11. Abuse and nefarious use of cloud services

Malicious actors may leverage cloud computing resources to target users, organizations, or other cloud providers, and can also host malware on cloud services. Some examples of the misuse of cloud resources include: launching DDoS attacks, email spam and phishing campaigns, "mining" for digital currency, large-scale automated click fraud, brute-force attacks of stolen credential databases, and hosting of malicious or pirated content.

Business Impact

  • If an attacker has compromised the management plane of a customer's cloud infrastructure, the attacker can use the cloud service for illicit purposes while the customer foots the bill. The bill could be substantial if the attacker consumed substantial resources, such as mining cryptocurrency.
  • Attackers can also use the cloud to store and propagate malware. Enterprises must have controls in place to deal with these new attack vectors. This may mean procuring security technology that can monitor cloud infrastructure or API calls from and to the cloud service.

Key Takeaways and Recommendations

  • Enterprises should monitor their employees in the cloud, as traditional mechanisms are unable to mitigate the risks posed by cloud service usage.
  • Employ cloud data loss prevention (DLP) technologies to monitor and stop any unauthorized data exfiltration.

"The complexity of cloud can be the perfect place for attackers to hide, offering concealment as a launchpad for further harm," John Yeoh, global vice president of research for CSA, said in a press release. "Unawareness of the threats, risks and vulnerabilities makes it more challenging to protect organizations from data loss. The security issues outlined in this iteration of the Top Threats report, therefore, are a call to action for developing and enhancing cloud security awareness, configuration and identity management."

Also see

businessman touching Cloud with Padlock icon on network connection, digital background. Cloud computing and network security concept

Image: Getty Images/iStockphoto

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books—one on Windows and another on LinkedIn.