Cloud computing continues to transform the way organizations use, store, and share data, applications, and workloads. It has also introduced a host of new security threats and challenges. With so much data going into the cloud—and into public cloud services in particular—these resources become natural targets for bad actors.
Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer.
To provide organizations with an up-to-date understanding of cloud security concerns so they can make educated decisions regarding cloud adoption strategies, the Cloud Security Alliance (CSA) has created the latest version of its Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights report.
1. Data breaches:
A data breach might be the primary objective of a targeted attack or simply the result of human error, application vulnerabilities, or poor security practices, CSA says.
2. Insufficient identity, credential, and access management:
Bad actors masquerading as legitimate users, operators, or developers can read, modify, and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source, CSA says.
3. Insecure interfaces and application programming interfaces (APIs):
Cloud providers expose a set of software user interfaces (UIs) or APIs that customers use to manage and interact with cloud services.
4. System vulnerabilities:
System vulnerabilities are exploitable bugs in programs that attackers can use to infiltrate a system to steal data, taking control of the system or disrupting service operations.
5. Account hijacking:
Account or service hijacking is not new, CSA notes, but cloud services add a new threat to the landscape. If attackers gain access to a user’s credentials, they can eavesdrop on activities and transactions, manipulate data, return falsified information and redirect clients to illegitimate sites.
6. Malicious insiders:
While the level of threat is open to debate, the fact that insider threat is a real adversary is not, CSA says.
7. Advanced persistent threats (APTs):
APTs are a parasitical form of cyber attack that infiltrates systems to establish a foothold in the IT infrastructure of target companies, from which they steal data.
8. Data loss:
Data stored in the cloud can be lost for reasons other than malicious attacks, CSA says.
9. Insufficient due diligence:
When executives create business strategies, cloud technologies and service providers must be considered, CSA says. Developing a good roadmap and checklist for due diligence when evaluating technologies and providers is essential for the greatest chance of success.
10. Abuse and nefarious use of cloud services:
Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud expose cloud computing models to malicious attacks, CSA says.
11. Denial of service (DoS):
DoS attacks are designed to prevent users of a service from being able to access their data or applications.
12. Shared technology vulnerabilities:
Cloud service providers deliver their services scalably by sharing infrastructure, platforms or applications, CSA notes. Cloud technology divides the “as-a-service” offering without substantially changing the off-the-shelf hardware/software—sometimes at the expense of security.