The Cloud Security Alliance has published a list of the top 11 threats to cloud security based on a survey of 700 industry experts.
The Top Threats to Cloud Computing: The Pandemic 11 report identifies those top threats as:
1. Insufficient identity, credentials, access, and key Management
2. Insecure interfaces and application programming interfaces (APIs)
3. Misconfiguration and inadequate change control
4. Lack of cloud security architecture and strategy
5. Insecure software development
6. Unsecured third-party resources
7. System vulnerabilities
8. Accidental cloud data disclosure
9. Misconfiguration and exploitation of serverless and container workloads
10. Organized crime/hackers/advanced persistent threats (APTs)
11. Cloud storage data exfiltration
When considered in their entirety it’s clear that cloud security is a major concern. And yet, the number of workloads being shifted to the cloud only continues to accelerate. It would appear it’s only a matter of time before the size and scope of cloud security breaches expand exponentially.
However, when the 11 threats to cloud security are further reviewed it also becomes apparent that it’s not so much the platforms that are insecure as much as it is the way they are employed. Organizations still routinely allow developers with little to no cybersecurity expertise to directly provision cloud infrastructure with no guardrails in place. The probability a developer will make a mistake is exceedingly high.
The truth is the supposed gain in developer productivity that might be achieved by allowing them to use tools such as Terraform to configure cloud services without any kind of security review is simply not worth the inherent risk. Organizations that allow developers to provision applications and cloud infrastructure without a security review are engaging in what challenged in a court could easily determine to be a reckless disregard of the interests of their customers. As any lawyer knows, it’s only when the term reckless gets applied that the penalties start to climb into the millions.
There are, of course, two sides to every controversy. For every action, there is an equal and opposite reaction. When developers first started advocating for the cloud many cybersecurity professionals deemed the risk was too high. Rather than work with developers to define the processes required to secure those platforms, many cybersecurity professionals in a state of hubris found it was easier to just say no. Much to their chagrin, many of them soon discovered they lacked the political capital to make that position stick. The proverbial gates were thrown open and, not surprisingly, cybersecurity chaos has ensued.
Today there is now a great cloud securing reckoning underway. Organizations of all sizes are reviewing their software supply chains in the wake of an executive order issued by the Biden administration that made it clear to all that there are fundamental issues that can no longer be ignored. Cybersecurity professionals and developers are now being required to find common ground around a set of best DevSecOps practices that enable secure applications to be built without slowing down the rate at which they are being built. In hindsight, that should have always been the goal. The cloud security challenge and the opportunity now to take advantage of this second chance to collaboratively start anew to achieve meaningful cloud security before something truly cataclysmic will otherwise inevitably occur.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.