The Cloud Security Alliance's 'Treacherous Twelve' cloud security risks include twelve risks ranked in order of perceived severity by developers and IT managers. The organization attributed the risks to the shared, on-demand nature of cloud computing—yet most of them are easily preventable.
The Cloud Security Alliance is a not-for-profit organization that periodically publishes guidance relating to common cloud security risks. The organization published its Treacherous Twelve cloud security risks based on the opinions of hundreds of developers and IT managers from across various industries in the United States and the rest of the world.
The list of risks contains what many cloud experts would expect, a selection of issues attributable to a lack of cloud security best practices and adequate governance. There’s also a fair amount of duplication in the list to the extent that, for example, ‘Weak Identity, Credential, and Management’ could be responsible for as many as six other items on the list.
The full list of risks, ranked in order of perceived severity, are:
- Data Breaches
- Weak Identity, Credential, and Access Management
- Insecure APIs
- System and Application Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Vulnerabilities
Most cloud security risks are preventable
The cloud is inherently secure. Indeed, Cloud Service Providers do a better job of protecting their data centers than most organizations ever did of protecting their on-premises infrastructures. So, why is it that cloud security is such a big issue? Part of the problem is organizations failing to understand their obligations under providers’ shared responsibility models, while others understand their obligations, but fail to fulfill them.
The failure of organizations to take responsibility for security in the cloud isn’t necessarily deliberate. Some organizations lack the knowledge of how to take responsibility. Others have the knowledge but lack the skills. Some have gone as far as conducting a risk assessment and deciding that the effort and cost required to mitigate their cloud security risks outweigh the likelihood of the risk occurring and potential impact on the organization.
However, most of the cloud security risks listed above could be easily prevented with strong access controls, encryption, and app-centric cloud governance. These measures aren’t complicated to implement and only have a limited impact on performance. Consequently, organizations lacking the knowledge, skills, or incentive to secure their cloud environments can address their cloud security risks with minimal disruption
Access controls, encryption, and governance
Addressing Cloud Security Risks with Access Controls
If you believe your organization has adequate access controls, think again. Unless all your users have multi-factor authentication and all your devices have automatic log-off, your cloud infrastructure is at risk from any user interacting with a phishing email or any malicious insider prying on an unattended workstation. Implementing these measures results in a few seconds more to log-in, yet few organizations use both in order to protect their infrastructures from unauthorized access.
Addressing Cloud Security Risks with Encryption
It used to be the case that organizations that encrypted everything suffered from a significant loss of performance. Now, due to the more powerful, latest generation services, performance loss due to encryption is minimal. Nonetheless, organizations that want to ensure the end-user experience is unaffected by encryption can use tagging to encrypt sensitive data and ensure it’s maintained in a secure environment, and useless to anybody who accesses it without authorization.
Addressing Cloud Security Risks with App-Centric Governance
The term cloud governance usually applies to the rules governing an entire organization’s operations in the cloud. However, it can also be applied to individual applications in order to create granular-scale governance rules for cost, performance, and security. App-centric cloud governance is an effective way of preventing Advanced Persistent Threats and hackers moving laterally through your network. It can also prevent the duplication of misconfigurations and insecure APIs.
How CloudHealth can help identify cloud security risks
CloudHealth’s policy engine be used to help monitor your organization’s cloud around the clock to identify potential cloud security risks. For example, you can leverage the default CloudHealth security policy to be notified of violations such as when an account has multi-factor authentication disabled.
The CloudHealth Security Violation Report can also identify publicly-accessible storage volumes and alert you to security vulnerabilities such as unauthorized open ports. In addition to the security functionality, CloudHealth can also execute governance functions like terminating assets launched outside a U.S. region.