At the Black Hat USA conference this week the Cloud Security Alliance published a report identifying what it describes to be the 11 most egregious threats to cloud computing.
The 11 most egregious threats as ranked in order by significance according to the CSA are:
- Data Breaches
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity, credential, access and key management
- Account hijacking
- Insider threat
- Insecure interfaces and APIs
- Weak control plane
- Metastructure and applistructure failures
- Limited cloud usage visibility
- Abuse and nefarious use of cloud services
None of these issues are likely to surprise most cybersecurity professionals. And yet, organizations of all sizes continue to be routinely tripped up by them. More challenging still, John Yeoh, global vice president of research for the CSA, says that as organizations begin to rely more on emerging cloud-native technologies such as Docker containers and Kubernetes, the probability one mistake or another will lead result in a major breach is only increasing. The issue is the not the security of the platforms themselves, but rather a lack of mature processes to ensure, for example, that any one of the components that make up a cloud platform has not been inadvertently misconfigured, notes Yeoh.
The opportunity for further mistakes to be made increases as the number of types of cloud computing frameworks employed expands. Most organizations today are already having more than enough trouble securing the monolithic applications on top of virtual machines running in the cloud. As the percentage of applications that employ either containers or serverless computing frameworks starts to increase, each one of these frameworks adds additional application programming interfaces (APIs) that need to be secured.Each additional container or serverless computing framework adds additional application programming interfaces (APIs) that need to be secured. Click To Tweet
Organizations that embrace containers to become more agile quickly also quickly discover their IT environment now consists of thousands of containers, each one of which needs to be continuously monitored to ensure no vulnerable code has been either inadvertently or purposefully encapsulated within a container.
The CSA is recommending that organizations more aggressively embrace best DevSecOps practices to mitigate potential threats to cloud computing environments. The challenge is that change comes slowly to most IT organizations, especially given the amount of love that have been lost over the years between developers and cybersecurity professionals. Despite the rise of DevSecOps practices, many cybersecurity professionals are going to find it very difficult to trust developers to do the right thing in terms of embedding cybersecurity controls within their applications. Given the chronic shortage of cybersecurity talent there may be no alternative. Cybersecurity professionals would, nevertheless, be well advised to adopt the “Trust But Verify” dictum that President Ronald Reagan once espoused when negotiating nuclear arms treaties.An ounce of prevention is worth a pound of cure. Cybersecurity teams have to be proactive about public cloud security. Click To Tweet
While waiting for a great cybersecurity epiphany to occur among developers, cybersecurity professionals in the meantime would be well advised to remember another old adage: an ounce of prevention is worth a pound of cure. Rather than waiting for the inevitable cloud breach to occur, cybersecurity teams should proactively scan for misconfigurations and other vulnerabilities before they get discovered by any number of bad actors. At this point, it’s safe to assume these vulnerabilities now potentially number in the hundreds of millions. The race is now on to see who will discover those vulnerabilities first.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.