More data and applications are moving to the cloud, which creates unique infosecurity challenges. Here are the “Egregious 11,” the top security threats organizations face when using cloud services.
Cloud computing continues to transform the way organizations use, store, and share data, applications, and workloads. It has also introduced a host of new security threats and challenges. With so much data going into the cloud—and into public cloud services in particular—these resources become natural targets for bad actors.
“The volume of public cloud utilization is growing rapidly, so that inevitably leads to a greater body of sensitive stuff that is potentially at risk,” says Jay Heiser, vice president and cloud security lead at Gartner, Inc.
Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer. “We are in a cloud security transition period in which focus is shifting from the provider to the customer,” Heiser says. “Enterprises are learning that huge amounts of time spent trying to figure out if any particular cloud service provider is ‘secure’ or not has virtually no payback.”
To provide organizations with an up-to-date understanding of cloud security concerns so they can make educated decisions regarding cloud adoption strategies, the Cloud Security Alliance (CSA) has created the latest version of its Top Threats to Cloud Computing: Egregious Eleven report. The report, released in September, lists the top cloud threats that occurred in 2019.
The report reflects the current consensus among security experts in the CSA community about the most significant security issues in the cloud. While there are many security concerns in the cloud, CSA says, this list focuses on 11 specifically related to the shared, on-demand nature of cloud computing.
To identify the top concerns, CSA conducted a survey of industry experts to compile professional opinions on the greatest security issues within cloud computing. Here are the top cloud security issues (ranked in order of severity per survey results):
1. Data breaches
The threat of data breaches retains its number one ranking in the survey from last year. It’s easy to see why. Breaches can cause great reputational and financial damage. They could potentially result in loss of intellectual property (IP) and significant legal liabilities.
CSA’s key takeaways regarding the data breach threat include:
- Attackers want data, so businesses need to define the value of its data and the impact of its loss.
- Who has access to data is a key question to resolve to protect it.
- Internet-accessible data is the most vulnerable to misconfiguration or exploitation.
- Encryption can protect data, but with a trade-off in performance and user experience.
- Businesses need robust, tested incident response plans that take cloud service providers into account.
2. Misconfiguration and inadequate change control
This is a new threat to the CSA list, and not surprising given the many examples of businesses accidently exposing data via the cloud. For example, CSA cites the Exactis incident where the provider left an Elasticsearch database containing personal data of 230 million US consumers publicly accessible due to misconfiguration. Just as damaging was the case where Level One Robotics exposed IP belonging to more than 100 manufacturing companies thanks to a misconfigured backup server.