11 vulnerabilities in the cloud that keep customers up at night

As the cloud expands with more applications, data, and business processes, end users can also outsource their security to vendors.

According to an industry survey, many companies feel the need to control security and not give the ultimate responsibility to cloud service providers. The Cloud Security Alliance, which released its survey of 241 industry experts, identified 11 cloud security issues.

The survey authors point out that many of this year’s most pressing issues place the security burden on enterprise end-users, rather than on service providers. “We have noticed a decline in the ranking of traditional cloud security issues under the responsibility of cloud service providers. Issues such as denial of service, vulnerabilities in shared technology, data loss, and vulnerabilities in the cloud provider system, which were all featured in the previous report “Treacherous 12,” were rated very low so they are not included in this report.These deletions suggest that traditional security issues are the responsibility of cloud service providers seem to be less concerned. Instead, we find it more necessary to address security issues that are higher up in the technology stack and as a result of decisions made by management. »

These results are in line with another recent survey, from Forbes Insights and VMware, which found that active companies resist the temptation to outsource security to their cloud service providers-only 31% of executives say they outsource many security measures. to cloud service providers. But 94% of them use cloud services for some aspect of security.

The main concerns in 2022

The latest report from the Cloud Security Alliance highlights this year’s key concerns:

  • Data Violations. “Data is becoming the primary target of cyberattacks,” the report’s authors pointed out. “Determining the business value of data and the impact of its loss is very important to organizations that own or process data. Furthermore,” data protection is evolving towards the question of who has access to it “, they added. “Encryption techniques can help protect data, but they negatively affect system performance while making applications less user-friendly.»
  • Poor configuration and insufficient change control. “Cloud-based resources are very complex and dynamic, making it difficult to configure them. Traditional control and change management techniques are not effective in the cloud. According to the authors, “Businesses should embrace automation and use technologies that continuously analyze unconfigured resources and remediate issues in real time.”
  • Lack of cloud security architecture and strategy. “Make sure the security architecture is in line with the goals and objectives of the business. Develop and implement a security architecture framework. »
  • Inadequate management of identities, credentials, access and keys. “Secure accounts, including two-factor authentication and limited use of root accounts. Implement the strictest identity and access controls for users and cloud identities. »
  • Account hijacking. This is a threat that must be taken seriously. “IAM has deep defense and control [Identity and Access Management, NDLR] is critical to mitigating account hijacking. »
  • Internal threats. “Taking steps to reduce insider negligence can help reduce the consequences of insider threats. Train your security teams so they can properly install, configure, and monitor your computer systems. , network, mobile device, and backup device.The authors also recommend “regularly educating employees about training. Provide training to your employees to teach them how to manage security risks, such as phishing and protecting corporate data they carry outside the company on laptops and mobile devices ”.
  • Insecure interfaces and APIs. “Practice good hygiene with the API. Best practices include diligent monitoring of items such as inventory, testing, audits, and precautions against abnormal activity. Additionally, “consider using common and open API frameworks (e.g., Open Cloud Computing Interface (OCCI) and Cloud Infrastructure Management Interface (CIMI)”.
  • Poor control plane. “The cloud customer must do their due diligence and determine if the cloud service they intend to use has an adequate control plane. »
  • Metastructure and applistructure failures. “Cloud service providers need to provide visibility and expose simplifications to combat the inherent lack of transparency of the cloud for tenants. All vendors must conduct penetration testing and provide the results to customers. »
  • Cloud usage visibility is limited. “Risk reduction begins with developing a comprehensive effort on top-down cloud visibility. Implement company -wide training on accepted cloud usage policies and their implementation. All unapproved cloud services must be reviewed and approved by a cloud security architect or third party risk management. »
  • Abuse and misuse of cloud services. “Companies need to monitor their employees in the cloud, because traditional mechanisms are not able to mitigate the risks posed by using cloud services.»

Source: ZDNet.com

Leave a Comment