2 egregious cloud security threats the CSA missed

My interesting weekend reading was this Cloud Security Alliance (CSA) report, which was vendor sponsored, highlighting 11 cloud security threats that should be on top of everyone’s mind. These threats are described as “egregious.”

CSA surveyed 241 experts on security issues in the cloud industry and came up with these top 11 threats:

  1. Data breaches
  2. Misconfiguration and inadequate change control
  3. Lack of cloud security architecture and strategy
  4. Insufficient identity, credential, access, and key management
  5. Account hijacking
  6. Insider threat
  7. Insecure interfaces and APIs
  8. Weak control plane
  9. Metastructure and applistructure failures
  10. Limited cloud usage visibility
  11. Abuse and nefarious use of cloud services

This is a pretty good report, by the way. It’s free to download, and if you’re interested in the evolution of cloud computing security, it’s a good read.  

However, no report can be so comprehensive that it lists all threat patterns, or even derivatives to the threat patterns listed. I have a couple to add that I’m seeing over and over again.

  1. Lack of proactive cloud monitoring systems joined at the hip with cloud security systems.

By the time attacks are identified they often do not look like attacks. Some tool watches something change over time, such as CPU and storage system saturation, and a non-security-focused ITops tool, such as an AIops tool, spots the issue. There needs to be a way for that alert to be shared with the cloud security system so it can take evasive action using automation.

I’ve heard too many stories of attacks using any number of vectors that were discovered by an ITops tool and not by the security system. The reality is that security is systemic to all that is cloud, including usage and performance monitoring, governance systems, database monitoring, etc. Chances are these systems will pick up the shenanigans before the security system knows what’s going on. This is why the various systems need to be integrated and talk to each other. Most are not these days.

Copyright © 2020 IDG Communications, Inc.