10 Essential Processes for Reducing the Top 11 Cloud Risks
The Cloud Security Alliance's "Pandemic 11" cloud security challenges can be addressed by putting the right processes in place.
COMMENTARY
It's an old trope by now that anyone not moving to the cloud is falling behind. As a result, cloud security has been on the list of "hot new trends" for the past few years with no sign of abating.
In 2020, the National Security Agency (NSA) suggested that cloud misconfigurations are by far the biggest threat to cloud security. Crowdstrike's "2023 Global Threat Report" (login required) named "continued rise of cloud exploitation" as one of its top five themes for 2024. And Palo Alto Networks recently listed "cloud security and identity access management" as one of its top five concerns this year. Cloud migration and transformation are on every company's agenda, even though cloud security is rarely funded sufficiently from the outset. (Apparently, we are destined to learn the same lessons over and over again).
Top 11 Cloud Security Threats
The Cloud Security Alliance (CSA) is a nonprofit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. In 2022 and 2023, it surveyed experts to identify the top cloud challenges and cloud threats, which it calls the Pandemic 11 (login required):
Insufficient identity, credentials, access, and key management
Insecure interfaces and application programming interfaces (APIs)
Misconfiguration and inadequate change control
Lack of cloud security architecture and strategy
Insecure software development
Unsecured third-party resources
System vulnerabilities
Accidental cloud data disclosure
Misconfiguration and exploitation of serverless and container workloads
Organized crime, hackers, and advanced persistent threats (APTs)
Cloud storage data exfiltration
These are a grab bag of threat actors and attack vectors that creates an overlapping and nonexhaustive framework, but it's still a useful lens into the minds of survey participants. In 2023, the CSA mapped major breaches (Okta, Dropbox, Department of Defense, Uber, Lastpass, Log4j, Codecov, Cozybear, and GeneralBytes) and identified some combination of the 11 at work in these attacks.
Over the past few years, we have seen misconfigurations resulting in data leaks at all the major cloud storage options. Fortunately, as KnowBe4's Roger Grimes points out, several of the issues we expected to be problematic several years ago have not (yet) been issues, including tenant collisions, cloud-based malware, virtual machine client-to client/host attacks, undeletions, and data ownership issues. That said, there is more than enough to keep everyone busy — if not overwhelmed.
10 Ways to Defend Against the Pandemic 11
So, what can we do differently? This list is neither exhaustive nor simple, but these are some effective strategies we've seen in practice:
Build a serious identity program. Many companies have been investing in identity security tools for years but are not putting enough energy into building the identity environment they need and want. It is a serious commitment and requires serious resource investment. Gartner advises "[selecting] the right key-management-as-a-service to mitigate cloud data security challenges. Stay compliant and retain control over your cloud data irrespective of where it resides."
Ensure teams use an API integration platform-as-a-service (PaaS) to secure your interfaces and APIs and provide appropriate management and oversight.
Audit your configurations regularly as part of a robust change and control management process. Document the process and make sure teams know and follow it.
Spend the time to design a desired future-state architecture and strategy. Establish metrics to enable accountability and update them regularly. Unfortunately, the standard practice of amassing cloud infrastructure without a plan inevitably results in waste, unforeseen expenses, and utilization costs that far exceed expectations.
Involve security at the start of your software development life cycle (SDLC) (as everyone has been saying for the last 20 years).
Build automated processes to verify the security of third parties. Third-party risk management has been around for a long time, and there are many tools to manage it. The issue is having the willingness and time to run the relevant processes and audit the appropriate resources. As organizations now realize, third-party source code and libraries pose tremendous risk to development.
Automate vulnerability management programs to include patching, and link it closely to asset management. Vulnerability management is only as good as your asset and configuration inventories and management programs. It's way past time to elevate IT asset management to a major pillar and steadily improve its function.
Audit, audit, audit. The cloud provides many efficiencies — but it's also significantly easier to accidentally leak data. Organizations need robust education programs, IT auditing initiatives, legal planning, and so forth.
Ensure security oversight over serverless and container environments. While serverless and containers may make IT management more cost effective, they also make it more opaque to security. Security teams need resources dedicated to these resources.
Continue to invest in threat hunting, and get to know the government agencies that can help if you encounter organized crime or a potential APT. Few organizations have appropriate resources to combat true persistent threats, but the CISA has dramatically scaled up its support services.
Processes Can Address Cloud Threats
My colleague Justin Whitaker recently extolled "The Lost Art of Platform Architecture Design Documentation." He wrote:
"Design and architecture diagrams are table-stakes for organizations with mature cyber risk management programs. A variety of common security assessments (e.g., system architecture reviews, system security plans, and threat modeling) require design and architecture documents. The alternative to comprehensive design documentation includes lengthy security questionnaires and multiple data gathering sessions with security teams to tease out all the needed information, much of which would otherwise be captured in a design plan."
This could not be truer for the cloud. Design and architecture documentation enable a starting point for process development. All 11 of the CSA's cloud threats can be addressed by the right processes. It's far past time to get going in a serious way.
About the Author
You May Also Like