Cloud Security Alliance has unveiled its Top Threats to Cloud Computing: Egregious Eleven report, which lists the top 11 cybersecurity problems facing cloud computing users. It is the first major update to the list since 2016, when Alliance released the Treacherous 12, although it has released reports taking a deep dive into the threats with case studies in the interim.
Data breaches still top the list, unmoved since 2016. Other perennial threats remaining on the list from last time are poor identity management, insecure APIs, account hijacking, insider threats and the abuse and nefarious use of cloud services.
That leaves room for five new threats.
Weak control plane
In this scenario, the user doesn't understand how data flows in the cloud and might not have secure processes for securing and verifying it.
Metastructure and applistructure failures
This risk revolves around the application programming interfaces that allow customers to extract information about security protections and operations in the cloud. Examples include logging and audit information. Cloud service providers (CSPs) must understand what to provide and customers must use this wisely, the report warns.
Misconfiguration and inadequate change control
It's no wonder that this threat appeared on the list. It concerns the misconfiguration of cloud resources that could then expose sensitive information. Every accidentally exposed S3 bucket or Elasticsearch database falls into this category.
Lack of cloud security architecture and strategy
The big problem here is a misunderstanding of the shared-responsibility model. Customers lift and shift their operations into the cloud assuming that the CSP will take care of all the security, without understanding their own responsibilities.
Limited cloud usage visibility
This is the culprit behind shadow IT, when users buy cloud applications without informing IT and then use them insecurely.
What's interesting about this release is its increasing focus on administrator mistakes rather than purely on external bad actors and more traditional security issues. In short, the security challenges are becoming more nuanced, according to Alliance, which suggests a gradual maturing of the cloud security landscape.