Cloud computing provides business benefits, like cost and efficiency gains and scalability. But it comes with security risks, if companies don’t take business-level security policies and best practices into account.
“The cloud is understood now,” said Jon-Michael Brook, CSA research fellow and working group co-chair. “What’s happening now is the threats are moving up the stack. Instead of simply renting computers in an IaaS [infrastructure-as-a-service] environment from AWS or GCP, you’re moving up to some of the platform-as-a-service issues.”
Passwords, he said, are the perfect example. This is also the no. 2 cloud security threat in the report: insufficient identity, credential, and access management. Weak passwords, companies not using multifactor authentication, and a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates leads to data breaches and attacks, it says.
“Why aren’t you using multi-factor authentication? As we get a safer cloud, a better cloud, the threats are moving up the stack to application security, APIs, securing access to the actual control panels,” Brook said. “Best practice 10 years ago was a strong password. Now everybody has an encryption token in their pocket.”
This echoes a finding in a recent SDxCentral survey that asked respondents what security issues they were currently experiencing. Only 26 percent indicated “securing cloud environments” was a concern, down from 37 percent in 2016.
However, 40 percent said “data privacy and security” was a top security concern, and 29 percent identified “application security.” Both of these apply to workloads in on-premises data centers as well as cloud-native ones.
Advanced persistent threats, or APTs, wasn’t listed in the earlier 2013 version of the CSA threat report. These, according to the new paper, are a “parasitical form of cyberattack that infiltrates systems to establish a foothold in the computing infrastructure of target companies from which they smuggle data and intellectual property.”
“APTs are something that’s going to be a problem in the cloud or in the enterprise,” Brook said. “But the tenants of cloud, the always-on network access, just makes it easier for someone to go through and poke against these systems. If you have weak credential management processes, you’re going to get popped.”
Cloud Security Business Impacts
The report also details the business impacts of each security risk. So, for example, weak software user interfaces (UIs) or application programming interfaces (APIs) expose businesses to risks related to confidentiality, integrity, and accountability.
This is designed to give security analysts and engineers an additional tool to justify the security spending, Brook said.
“The whole point of this document is getting the decisions makers up the stack to sign up for additional budgets,” he explained. “You need justification. If you’re going to follow someone’s cloud first mantra, you need to have a rationale as to why you don’t just throw a password on to a system, why you don’t just accept that the APIs are secure.”
The CSA also created industry-wide standards for cloud security. Each of the 12 threats detailed in the new report includes a list of related CSA standards designed to reduce the risk. The organization is also working on another paper targeting engineers scheduled for publication in 2018. “Think: attack chains and mitigation steps,” Brook said.